Home / malwarePDF  

Virus:Win32/Chir.B@mm


First posted on 15 September 2019.
Source: Microsoft

Aliases :

There are no other names known for Virus:Win32/Chir.B@mm.

Explanation :

Installation Spreads Via… Payload Additional Information When an infected file is run, the virus finds the memory location of kernel32, and the location of its GetProcAddress function. After that, the virus collects the addresses of all the other required APIs. It creates the mutex “”, and then runs the original program.ChineseHacker-2   Using a decompressed clean dummy Win32 PE file, that the virus carries along within its code, Virus:Win32/Chir.B@mm creates an infected file called “” in the System folder. The created file is marked as system, hidden and read only.runouce.exe

It modifies the following registry entry so that it runs each time you start your :PC

In subkey: Sets value: With data: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun"Runonce"”
unouce.exe”

The virus monitors the registry entry listed above, and recreates it if it is deleted.

File infection
This virus searches for targets on all mapped drives, from C: to Z:, and in all directories, but it avoids folders with names starting with “wind” or “winn” in an attempt to avoid Windows or WinNT folders. If a file found has an .exe or .scr extension, the virus infects it by appending its code and modifying the Entry Point, in order to intercept control when the file is executed.
Note: Due to a bug, many targeted files will not work after infection because of the size truncation.
If a file has an extension .htm or .html, the virus does two things: The virus attempts to exploit the vulnerability addressed by Security Bulletin MS01-020 by using a specially crafted MIME format in order to automatically execute embedded virus code.   See for more information.Microsoft Security Bulletin MS01-020   Virus:Win32/Chir.B@mm attempts to spread through all available open shares, located by enumerating network resources. When doing so, it infects files using the aforementioned method. Additionally, it drops a file called “”..eml   Email   This threat doesn't rely on any email client in order to send email. It uses its own SMTP engine, connecting to an SMTP server located in China.
The virus searches for target email addresses in the Windows Address Book (*.wab) and also in files matching the following criteria: When an e-mail address is found, the virus sends an e-mail with the following details:

From:  Subject: Attachment: @yahoo.comis coming!pp.exe Damages files   When the virus is run on the first day of a month, the files that are scanned for e-mail addresses (*.adc, *.xls , *.doc , *r.db) will have their first 4660 bytes overwritten with random junk.   Displays messages to Chinese users   This virus contains code that targets Chinese users - it looks for a window titled: 发送消息 (Send message). If successful, the virus sends a series of Chinese messages to that window, which vary from statements promoting peace (世界需要和平!) to those condemning dictatorship (反对霸权主义! ), to praising socialism (社会主义好!). Once a minute, Virus:Win32/Chir.B@mm sends a network message to everyone on the same network: “”.My god! Some one killed ChineseHacker-2 Monitor Sometimes the displayed message will read“”My god! Some o~e killed ChineseHacker-2 Monitor Analysis by Jakub Kaminski Creates the file “readme.eml” in the target directory Apends a short Java script which launches “” when a target HTML is loaded. readme.eml .adc .doc .rdb .xls

Last update 15 September 2019

 

TOP