[virusinfo] W32/Chode-C

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Mon, 06 Jun 2005 15:17:53 -0700

From; Sophos Alert System:

Name: W32/Chode-C
Aliases: WORM_CHOD.GEN
Type: Win32 worm
Date: 6 June 2005

Sophos has issued protection for W32/Chode-C.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.

Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.


Information about W32/Chode-C can be found at:
http://www.sophos.com/virusinfo/analyses/w32chodec.html

W32/Chode-C is a worm with IRC backdoor functionality. 
W32/Chode-C attempts to spread via MSN Instant Messenger, by sending users a 
message "hey, is this you?" and a link. The link points to a copy of the worm. 
When first run, the worm displays the following fake error message: 
"Run-time error #7: Out of memory." 
The worm includes backdoor functionality to do any of the following: 
send emails
download updates
participate in denial-of-service attacks
steal passwords
disable anti-virus products
modify the system HOSTS file 
When first run W32/Chode-C copies itself to a randomly named subfolder of the 
Windows system folder as csrss.exe. The worm may create a file <Windows system 
folder>\cpu.dll. 
W32/Chode-C creates the following registry entries in order to run itself on 
startup: 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
csrss
<path to copy of worm>\csrss.exe 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
csrss
<path to copy of worm>\csrss.exe 
The worm creates the following further registry entries: 
HKCU\Software\Chode
Installed
1 
HKCR\Chode
Installed
1 
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Run
<path to copy of worm>\csrss.exe 
W32/Chode-C may drop any of the following applications, used in particular for 
stealing passwords: 
MessenPass
Protected Storage Pass View
Intelligent TCPIP.SYS patcher 

The W32/Chode-C virus identity file (IDE) includes detection for:


W32/Agobot-SW
http://www.sophos.com/virusinfo/analyses/w32agobotsw.html
Troj/StartPa-GN
http://www.sophos.com/virusinfo/analyses/trojstartpagn.html
Troj/PPdoor-I
http://www.sophos.com/virusinfo/analyses/trojppdoori.html
W32/Rbot-AEP
http://www.sophos.com/virusinfo/analyses/w32rbotaep.html
W32/Sdbot-BFW
http://www.sophos.com/virusinfo/analyses/w32sdbotbfw.html
W32/Sdbot-BFX
http://www.sophos.com/virusinfo/analyses/w32sdbotbfx.html

Customers with 3.xx or lower versions of Sophos Anti-Virus, 
who are not running EM Library, can manually download the IDE
for W32/Chode-C from:

http://www.sophos.com/downloads/ide/chode-c.ide

Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Chode-C

1. Home
2. virusinfo
3. Archive
4. 06-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---