Chir.B
Threat LevelDamageDistribution

Effects 

Chir.B activates when the attachment is run. From that moment, the worm has the following effects:

• It infects files with the following extensions: EXE, SCR, HTM and HTML.
• On the first day of each month, it overwrites the first 4,660 bytes of files with the following extensions: ADC, R.DB, DOC and XLS.

Infection strategy 

Chir.B creates the following files:

• RUNOUCE.EXE, in the Windows system directory. This file is a copy of the worm.
• README.EML, in the directories in which the worm finds and infects files with an HTM and/or HTML extension. This file contains the worm's code in MIME format.

Chir.B creates the following entry in the Windows Registry:

• HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
  Runonce = %sysdir%\ runouce.exe
  where %sysdir% is the system directory.
  By creating this entry, Chir.B ensures that it is run whenever Windows is started.

Means of transmission 

Chir.B spreads itself via e-mail. It follows the routine below:

• It reaches the computer in an e-mail message with the following characteristics:
  
  Sender: one of the following:
  %sender's name%@yahoo.com
  Imissyou@btamail.net.cn
  
  Subject:
  %sender's name% is coming!
  
  Message: it does not contain any text.
  
  Attachments:
  PP.EXE
• It activates when the attachment is run.
• It sends itself out to the e-mail addresses it gets from the infected user's Address Book.