W32/Chode-J

Aliases	Backdoor.Win32.Virkel.a
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Chat programs
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	26 October 2005 13:21:40 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Chode-J is a worm with IRC backdoor Trojan functionality.

W32/Chode-J attempts to spread via MSN Instant Messenger and AOL Instant Messenger, by sending users a link to a copy of the worm.

W32/Chode-J includes functionality to:

- carry out DDoS flooder attacks
- provide a proxy server
- silently download, install and run new software
- modify the HOSTS file
- disable other software, including anti-virus, firewall and security related application
- update itself

W32/Chode-J attempts to disable a number of AV and security related processes.

W32/Chode-J modifies the HOSTS file, changing the URL-to-IP mappings for selected websites. W32/Chode-J is a worm with IRC backdoor Trojan functionality.

W32/Chode-J attempts to spread via MSN Instant Messenger and AOL Instant Messenger, by sending users a link to a copy of the worm.

W32/Chode-J includes functionality to:

When first run W32/Chode-J copies itself to <System>\<random>\csrss.exe and also creates the file csrss.lnk to the <Startup> folder.

The following registry entries are created:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
csrss
"<System>\<random>\csrss.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
csrss
"<Program Files>\<Messenger>\msmsgs.exe /background"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
csrss
"nwiz.exe /installquiet"

W32/Chode-J modifies a number of registry entries as the following:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
"<System>\<random>\csrss.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden
0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
DisableSR
1

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\srservice
Start
4

W32/Chode-J also inserts the following entry into [Windows] section of <Windows>\win.ini:

run=<System>\<random\csrss.exe
load=<System>\<random\csrss.exe

W32/Chode-J modifies the HOSTS file, changing the URL-to-IP mappings for selected websites, therefore preventing normal access to these sites. The new HOSTS file will typically contain the following:

127.0.0.1 avp.com
127.0.0.1 www.avp.com
127.0.0.1 ca.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 fastclick.net
127.0.0.1 ftp.f-secure.com
127.0.0.1 ftp.sophos.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.awaps.net
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www3.ca.com
127.0.0.1 www.grisoft.com
127.0.0.1 grisoft.com
127.0.0.1 housecall.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 pandasoftware.com
127.0.0.1 kaspersky.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.zonelabs.com
127.0.0.1 zonelabs.com
127.0.0.1 www.spywareinfo.com
127.0.0.1 spywareinfo.com
127.0.0.1 www.merijn.org
127.0.0.1 merijn.org

W32/Chode-J attempts to disable the following processes:

MCAgentExe
navapsvc
ccEvtMgr
SNDSrvc
ccProxy
ccPwdSvc
ccSetMgr
SPBBCSvc
SAVScan
SBService
SmcService
OutpostFirewall
CAISafe
PcCtlCom
tmproxy
Tmntsrv
net stop
sc config
start= disabled
CleanUp
MCUpdateExe
VirusScan Online
VSOCheckTask
Symantec NetDriver Monitor
Outpost Firewall
gcasServ
pccguide.exe
KAVPersonal50
Zone Labs Client
services
mpftray.exe
microsoft antispyware*
hijackthis*
msconfig.exe
kav.exe
kavsvc.exe
mcvsshld.exe
mcagent.exe
mcvsrte.exe
mcshield.exe
mcvsftsn.exe
mcdash.exe
mcvsescn.exe
mcinfo.exe
mpfagent.exe
CIzh_DataArrival'
mpfservice.exe
mskagent.exe
mcmnhdlr.exe
sndsrvc.exe
usrprmpt.exe
ccapp.exe
ccevtmgr.exe
spbbcsvc.exe
ccsetmgr.exe
symlcsvc.exe
npfmntor.exe
navapsvc.exe
issvc.exe
ccproxy.exe
tmpfw.exe
navapw32.exe
navw32.exe
smc.exe
outpost.exe
zlclient.exe
vsmon.exe
isafe.exe
pandaavengine.exe
regedit.exe
hijackthis.exe
gcasdtserv.exe
gcasserv.exe
pcctlcom.exe
tmntsrv.exe
tmproxy.exe
pcclient.exe
ethereal.exe
wpe pro.exe
nat.exe
winsp3.exe

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Chode-J

Summary

Action

More Information