[email protected]

Aliases: Win32.Chir.B [Computer Associates], W32/Chir-B [Sophos], Runouce [F-Secure], PE_CHIR.B [Trend]
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: active
Spreading: Low
Geographical info: Low
Removal: Moderate
Platform: W32
Discovered: 29 Jul 2002
Damage: Low

Characteristics: The [email protected] program is frequently acquired through email message in Microsoft Outlook address book.

More details about [email protected]

The [email protected] program is also considered a mass mailing worm that automatically sends itself to Outlook. It typically arrives as an email message from either these two email addresses: [USER NAME]@yahoo.com, [email protected] The Subject contains this phrase:” [USER NAME] is coming.” The message also includes attachments with the fiename PP.exe. Microsoft Outlook contains two components considered susceptible to this virus. These are Microsoft Virtual Machine com.ms.activex.activexcomponent Arbitrary Program Execution Vulnerability (BID 1754) and Microsoft IE MIME Header Attachment Execution Vulnerability (BID 2524). Once received, the PP.exe runs through your computer and the worm will copy itself with the Hidden, System, and Read-Only file attributes. This .exe file runs automatically and patches itself to certain system and read only files.

This worm reputedly enumerates network resources and will attempt to access and modify files so that it can run itself in the system. It automatically gathers email addresses by searching the Windows Address Book and files with extensions.adc, r.db,.doc, and .xls. Every month, the worm will attempt to overwrite the first 1,234 bytes of files with the said extensions. Eventually, the worm will expand its resources and look for all local and mapped drives to infect other file extensions including .htm, .html, .exe, .scr. It creates a readme.eml in the same folder in which the HTML file is located. HTML files are transformed in order for the worm to open Readme.eml.