Welcome to the Virus Encyclopedia of Panda Security.
Chir.B activates when the attachment is run. From that moment, the worm has the following effects:
- It infects files with the following extensions: EXE, SCR, HTM and HTML.
- On the first day of each month, it overwrites the first 4,660 bytes of files with the following extensions: ADC, R.DB, DOC and XLS.
Chir.B creates the following files:
- RUNOUCE.EXE, in the Windows system directory. This file is a copy of the worm.
- README.EML, in the directories in which the worm finds and infects files with an HTM and/or HTML extension. This file contains the worm's code in MIME format.
Chir.B creates the following entry in the Windows Registry:
- HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
Runonce = %sysdir%\ runouce.exe
where %sysdir% is the system directory.
By creating this entry, Chir.B ensures that it is run whenever Windows is started.
Means of transmission
Chir.B spreads itself via e-mail. It follows the routine below: