| Malware name | Win32.Chir.B | | Type | Worm | | Affected platform | Win32 | | Media-Type | text/html | | MD5 checksum | 33408EDFB8786FCCBD6CE48BC4FE96D2 | | Static file | no | | Filesize | 82,265 Bytes | Alias names
(also known as) | | Webwasher Proactive | JavaScript.Unwanted.gen!EP:M | | Sophos | W32/Chir-B | | McAfee | W32/Nimda.htm | | CA ETrust | JS/Chir.B |
| | Protection | | Webwasher Proactive | Database Version: 42 |
| | Side effects | - Drops a malicious file
- Uses its own Email engine
| | Propagation | |
|
Description:
Files
It copies itself to the following location:
• %SYSDIR%\runouce.exe
The following file is created:
– MIME encoded copy of itself:
• Readme.eml
Registry
The following registry key is added in order to run the process after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "Runonce"="%SYSDIR%\runouce.exe"
Email
It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
From: The sender address is spoofed.
To: – Email addresses found in specific files on the system.
Subject: The following:
•
%username from sender's email address% is coming!
Attachment: The filename of the attachment is:
• PP.exe
The attachment is a copy of the malware itself.
Miscellaneous
Mutex: It creates the following Mutex:
• ChineseHacker-2
String: Furthermore it contains the following string:
• Net Send * My god! Some one killed ChineseHacker-2 Monitor
