Virus Encyclopedia
Welcome to the Virus Encyclopedia of Panda Security.
Chir.B | |
Threat Level Damage Distribution |
At a glance
 |
| Common name: | Chir.B |
| Technical name: | W32/Chir.B |
| Threat level: | Low |
| Alias: | I-Worm.Runouce.b,, Win32/ChiHack, PE_CHIR.B |
| Type: | Virus |
| Effects: | It overwrites files with certain extensions and exploits two vulnerabilities in Internet Explorer. |
| Affected platforms:
|
Windows 2003/XP/2000/NT/ME/98/95 |
| First detected on: | Aug. 1, 2002 |
| Detection updated on: | June 17, 2010 |
| Statistics | No |
Proactive protection: | Yes, using TruPrevent Technologies
|
Brief Description | |
Chir.B is a worm that reaches computers in an e-mail attachment called PP.EXE. The subject of this message consists of the sender's name followed by the text is coming!. It is easy to get infected with this worm, as it activates automatically when the message is opened or just viewed through Outlook's Preview Pane. In order to do so, it exploits two vulnerabilities: Exploit/iFrame and Exploit/MIME. These vulnerabilities allow files attached to e-mail messages to be run automatically. This is a dangerous worm, as it infects files with the following extensions: EXE, SCR, HTM and HTML. Besides, Chir.B has destructive effects, as on the first day of each month it overwrites the first 4,660 bytes of files with the following extensions: ADC, R.DB, DOC and XLS. |
Visible Symptoms | |
A clear indication that you have received Chir.B is a message with the following characteristics: Sender: one of the following:
%sender's name%@yahoo.com
Imissyou@btamail.net.cn Subject:
%sender's name% is coming! Message: it does not contain any text. Attachments:
PP.EXE
|
Tech details
Effects |
Chir.B activates when the attachment is run. From that moment, the worm has the following effects: - It infects files with the following extensions: EXE, SCR, HTM and HTML.
- On the first day of each month, it overwrites the first 4,660 bytes of files with the following extensions: ADC, R.DB, DOC and XLS.
|
Infection strategy
Chir.B creates the following files:
- RUNOUCE.EXE, in the Windows system directory. This file is a copy of the worm.
- README.EML, in the directories in which the worm finds and infects files with an HTM and/or HTML extension. This file contains the worm's code in MIME format.
Chir.B creates the following entry in the Windows Registry:
- HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
Runonce = %sysdir%\ runouce.exe
where %sysdir% is the system directory.
By creating this entry, Chir.B ensures that it is run whenever Windows is started.
Means of transmission
Chir.B spreads itself via e-mail. It follows the routine below:
