by alexander.adamov on November 30th, 2012 in Malware Descriptions.

Detect: Win32.Сhir.b
Platform: Win32
Type: Worm
Size: 10 748 bytes
md5: a0ec5fc7ccb941955c24d53374361915
sha1: 3e0e6e1e2b7879f70fe6284a9c24020d1c05264f


It is an email worm which spreads via the Internet as an attachment of its executable file copy to the infected messages. For mailing, the worm uses addresses found on the infected computer.

Technical Details


Once launched, the worm copies its executable file and saves it with the following name:


It adds a registry key:


"Runonce" = "%Windir%\system32\runouce.exe"

This ensures that the worm is automatically launched each time Windows is booted on the victim machine.

Spread via Email

Before spreading the worm scans certain files on a hard disk to harvest victims' e-mail addresses. The worm scans files with the following extensions:






To send infected messages, the worm directly accesses the SMTP server “”.


The worm sends its copy by email as an attachment with the “pp.exe” name.

From is indicated in the From field,

where %username% is a name of the current user.


%username% is comming! is an email subject,

where %username% is a name of the current user.

Email Body

Email body is an HTML page containing JavaScript that runs a worm copy attached.


The worm scans a local drive for files with the «.exe» and «.scr» extensions. It infects found files by copying itself to the end of the file and redirects entry points to it.

In addition, the worm searches for the files with the «.htm» and «.html» extensions. The worm adds JavaScript to the files’ body. JavaScript opens the «readme.eml» file the worm creates in the folder containing an infected page. It is a file of the email described in the Spread via Email paragraph.

Ad Aware Pro Security detects HTML-pages infected by the worm as «JS.Chir.b».

In addition, the worm creates a unique identifier with the following name: «ChineseHacker-2».

Removal Recommendations

  1. Delete the following file:

  2. %Windir%\system32\runouce.exe

  3. Delete the registry keys(How to Work with System Registry):
  4. [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

    "Runonce" = "%Windir%\system32\runouce.exe"

  5. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).
No votes yet


Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now