Win32/Chir.A is a worm spreading as a file in an attachment of electronic mail messages. It has also the ability of a classical virus to infect executable or HTML files. The worm has a length of 10799 bytes. It attacks computers with operating system Windows 9x/ME/NT/2000/XP.

Win32/Chir.A utilizes for the spreading via electronic mail an Incorrect MIME Header vulnerability in Microsoft Internet Explorer 5.01 and Microsoft Internet Explorer 5.5 allowing the executable file to run automatically without the user double-clicking on the attachment. The vulnerability description is available at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-020.asp. A patch which secures against this vulnerability known from March 2001 is available for download at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-027.asp. Since this vulnerability utilize bunch of known worms for their spreading it is of highest importance to have related patch downloaded and installed.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation.

The worm arrives in an e-mail attachment as a file named p.exe. The message comes from imissyou@btamail.net.cn or addressee_name@hotmail.com. Win32/Chir.A replaces the string addressee_name with the real name of addressee who will receive the copy of worm. The object of the message is the text "Hi, i am addressee_name". Executing the file the worm is activated and copied into the file %windir%/System/runoune.exe. The hidden, system and read-only attributes are set for this new created file. It ensures the activation of this copy after system rebooting by creation of an item Runonce in the key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun. It sets its value to "C:WINDOWSSYSTEMrunouce.exe".