W32/Chode-M

Please follow the instructions for removing worms.

W32/Chode-M is an IM worm with IRC backdoor functionality.

W32/Chode-M attempts to spread via MSN Instant Messenger and AOL Instant Messenger by sending users a link to a copy of the worm.

W32/Chode-M connects to a preconfigured IRC server and joins a specific channel in which it can receive further commands from a remote attacker.

When first run W32/Chode-M copies itself to csrss.exe in a randomly named subfolder of the Windows system folder. The following registry entries are created in order to run csrss.exe on startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
load
<System>\<random>\csrss.exe

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
run
<System>\<random>\csrss.exe

W32/Chode-M also creates the file smss.exe in the same randomly-named subfolder.

W32/Chode-M terminates the following security processes:

ccapp.exe
ccevtmgr.exe
ccproxy.exe
ccsetmgr.exe
ethereal.exe
ewidoctrl.exe
ewidoguard.exe
gcasdtserv.exe
gcasserv.exe
giantantispywaremain.exe
hijackthis.exe
isafe.exe
issvc.exe
kav.exe
kavsvc.exe
mcagent.exe
mcdash.exe
mcinfo.exe
mcmnhdlr.exe
mcshield.exe
mcvsescn.exe
mcvsftsn.exe
mcvsrte.exe
mcvsshld.exe
mpfagent.exe
mpfservice.exe
mpftray.exe
msconfig.exe
mskagent.exe
nat.exe
navapsvc.exe
navapw32.exe
navw32.exe
npfmntor.exe
outpost.exe
pandaavengine.exe
pcclient.exe
pcctlcom.exe
regedit.exe
securitysuite.exe
smc.exe
sndsrvc.exe
spbbcsvc.exe
symlcsvc.exe
tmntsrv.exe
tmpfw.exe
tmproxy.exe
usrprmpt.exe
vsmon.exe
winsp3.exe
wpe pro.exe
zlclient.exe

The worm adds entries to the Windows HOSTS file to redirect several anti-virus and security-related domain names to the loopback address (127.0.0.1).

W32/Chode-M creates the file <System>\netstat.com in order to prevent the user from running the system tool netstat.exe.