PE_CHIR


 ALIASES:

Runouce, Thecid

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: File infector

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Infects files, Propagates via email, Propagates via software vulnerabilities


CHIR is a family of file infectors that propagate through email by mass-mailing a copy of itself as an attachment. It also exploits MIME header vulnerability that can cause Internet Explorer browsers to execute the email attachment. Most variants can also infect files that can be used to automatically execute its copy.

  TECHNICAL DETAILS

Memory Resident:

Yes

Installation

This file infector drops the following copies of itself into the affected system:

  • %System%\runouce.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This file infector adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Runonce = "%System%\runouce.exe"

Other System Modifications

This file infector adds the following registry keys as part of its installation routine:

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\
Multimedia\DrawDib