From; Sophos Alert System: Name: W32/Chode-C Aliases: WORM_CHOD.GEN Type: Win32 worm Date: 6 June 2005 Sophos has issued protection for W32/Chode-C. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Information about W32/Chode-C can be found at: http://www.sophos.com/virusinfo/analyses/w32chodec.html W32/Chode-C is a worm with IRC backdoor functionality. W32/Chode-C attempts to spread via MSN Instant Messenger, by sending users a message "hey, is this you?" and a link. The link points to a copy of the worm. When first run, the worm displays the following fake error message: "Run-time error #7: Out of memory." The worm includes backdoor functionality to do any of the following: send emails download updates participate in denial-of-service attacks steal passwords disable anti-virus products modify the system HOSTS file When first run W32/Chode-C copies itself to a randomly named subfolder of the Windows system folder as csrss.exe. The worm may create a file <Windows system folder>\cpu.dll. W32/Chode-C creates the following registry entries in order to run itself on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run csrss <path to copy of worm>\csrss.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run csrss <path to copy of worm>\csrss.exe The worm creates the following further registry entries: HKCU\Software\Chode Installed 1 HKCR\Chode Installed 1 HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Run <path to copy of worm>\csrss.exe W32/Chode-C may drop any of the following applications, used in particular for stealing passwords: MessenPass Protected Storage Pass View Intelligent TCPIP.SYS patcher The W32/Chode-C virus identity file (IDE) includes detection for: W32/Agobot-SW http://www.sophos.com/virusinfo/analyses/w32agobotsw.html Troj/StartPa-GN http://www.sophos.com/virusinfo/analyses/trojstartpagn.html Troj/PPdoor-I http://www.sophos.com/virusinfo/analyses/trojppdoori.html W32/Rbot-AEP http://www.sophos.com/virusinfo/analyses/w32rbotaep.html W32/Sdbot-BFW http://www.sophos.com/virusinfo/analyses/w32sdbotbfw.html W32/Sdbot-BFX http://www.sophos.com/virusinfo/analyses/w32sdbotbfx.html Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for W32/Chode-C from: http://www.sophos.com/downloads/ide/chode-c.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member