Win32.Chir.b

by alexander.adamov on November 30th, 2012 in Malware Descriptions.

Detect: Win32.Сhir.b
Platform: Win32
Type: Worm
Size: 10 748 bytes
md5: a0ec5fc7ccb941955c24d53374361915
sha1: 3e0e6e1e2b7879f70fe6284a9c24020d1c05264f

Summary

It is an email worm which spreads via the Internet as an attachment of its executable file copy to the infected messages. For mailing, the worm uses addresses found on the infected computer.

Technical Details

Installation

Once launched, the worm copies its executable file and saves it with the following name:

%Windir%\system32\runouce.exe

It adds a registry key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

"Runonce" = "%Windir%\system32\runouce.exe"

This ensures that the worm is automatically launched each time Windows is booted on the victim machine.

Spread via Email

Before spreading the worm scans certain files on a hard disk to harvest victims' e-mail addresses. The worm scans files with the following extensions:

«.wab»

«.adc»

«.db»

«.doc»

«.xls»

To send infected messages, the worm directly accesses the SMTP server “ btamail.net.cn”.

Attachment

The worm sends its copy by email as an attachment with the “pp.exe” name.

From

%username%@yahoo.com is indicated in the From field,

where %username% is a name of the current user.

Subject

%username% is comming! is an email subject,

where %username% is a name of the current user.

Email Body

Email body is an HTML page containing JavaScript that runs a worm copy attached.

Payload

The worm scans a local drive for files with the «.exe» and «.scr» extensions. It infects found files by copying itself to the end of the file and redirects entry points to it.

In addition, the worm searches for the files with the «.htm» and «.html» extensions. The worm adds JavaScript to the files’ body. JavaScript opens the «readme.eml» file the worm creates in the folder containing an infected page. It is a file of the email described in the Spread via Email paragraph.

Ad Aware Pro Security detects HTML-pages infected by the worm as «JS.Chir.b».

In addition, the worm creates a unique identifier with the following name: «ChineseHacker-2».

Removal Recommendations

  1. Delete the following file:

  2. %Windir%\system32\runouce.exe

  3. Delete the registry keys(How to Work with System Registry):
  4. [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

    "Runonce" = "%Windir%\system32\runouce.exe"

  5. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).