Category: Viruses and Spyware Protection available since:29 Jul 2002 00:00:00 (GMT)
Type: Win32 executable file virus Last Updated:17 Oct 2015 10:20:21 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Chir-B is an email worm, an EXE file infector and an HTM/HTML file

The worm component of the virus attempts to spread via email by sending
itself to email addresses found in the Windows address book, plus address
found in files matching:

The email will have the following characteristics:
From: <username>@yahoo.com or imissyou@btamail.net.cn
Subject line: <username> is comming!
The body of the email will be blank.
Attached file: Name of infected file.

The email contains the Iframe exploit and a MIME exploit to run the virus
automatically when the email is viewed.

When run the virus will copy itself into the Windows system folder as
runouce.exe and sets the registry entry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Runonce to point to
this new copy of the virus. This will cause the virus to be started when
Windows starts up. The virus continually monitors this registry entry so
that any attempt to change or delete the entry will result in the entry
being reset with the value described above.

On the first of the month the virus will overwrite the first 1234 bytes of
files matching *.ADC, *R.DB, *.DOC and *.XLS with garbage.

The virus searches for HTM and HTML files on both the local system and
network drives. If files of this type are found in a folder then a file
named readme.eml is created in that folder and a line of HTML code is appended
to the HTM and HTML files. The HTML code contains a short JavaScript
component that is intended to open the file readme.eml. The file readme.eml
contains a base64 encoded copy of the virus.

A second EML file with the same contents as readme.eml may also appear in
folders on network drives. This file will have the filename

The virus also infects Windows executables on both local and network
drives, but will not infect files in folders matching "wind*" or "winn*",
including all sub folders of those folders.
As a result of this files in folders with names such as Windows or Winnt will
not be infected.

W32/Chir-B employs a technique which will cause the virus to be restarted
if its process is terminated.