Help and Support

Virus Alert About the "W32.Chir.B@mm" Virus

View products that this article applies to.
Article ID:327203
Last Review:March 22, 2007
Revision:3.3
This article was previously published under Q327203
On This Page

SUMMARY

W32.Chir.B@mm is a network-aware, mass-mailing worm. It is also a file-infector virus. W32.Chir.B@mm is a variant of W32.Chir@mm. W32.Chir.B@mm uses its own Simple Mail Transfer Protocol (SMTP) engine to send itself to all of the e-mail addresses that it finds in the Windows Address Book (.wab file), and in .adc, r.db, .doc, and .xls files.

Back to the top

MORE INFORMATION

This worm uses both IFRAME and MIME exploits to run on your computer. Because of this, you might run the worm just by previewing the e-mail message in your e-mail program. The worm sends itself as a Pp.exe file to all of the e-mail addresses that it finds. The e-mail message has the following characteristics:
Subject: username is coming!
Attachments: Pp.exe
The worm uses its own SMTP engine to send itself to e-mail addresses. The SMTP server that the worm uses is a static server. This means that if a specific SMTP server is not running, the worm cannot spread.

W32.Chir.B@mm also searches all local and network drives, and infects files that have .htm, .html, .exe, and .scr extensions.

W32.Chir.B@mm infects HTML files in a similar manner as W32.Nimda.A@mm. W32.Chir.B@mm first creates a Readme.eml file in the folder in which the HTML file is located. The Readme.eml file is the MIME-encoded body of the virus. The virus then modifies the HTML file to open the Readme.eml file when the HTML file is viewed. This modification functions only if JavaScript is turned on.

Back to the top

Prevention

1.Block potentially damaging attachment types at your Internet mail gateways.
2.This virus uses a previously announced vulnerability as part of its infection method. Because of this, you must make sure that your computers are patched for the vulnerability that is identified in Microsoft Security Bulletin MS01-020. For more information about this bulletin, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/ms01-020.mspx (http://www.microsoft.com/technet/security/bulletin/ms01-020.mspx)
3.Obtain the most recent cumulative security patch for Microsoft Internet Explorer. The patch includes fixes for the vulnerabilities that were announced in Microsoft Security Bulletin MS01-020. For more information, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS02-023.mspx (http://www.microsoft.com/technet/security/bulletin/MS02-023.mspx)
4.If you are using Microsoft Outlook 2000 Service Release 1 (SR-1) or earlier, install the Outlook E-mail Security Update patch to prevent this virus (and the majority of other viruses that are borne by e-mail messages) from running.

Outlook 2000 Service Pack 2 (SP2) and Microsoft Outlook 2002 automatically contain the functionality that is contained in the Outlook E-mail Security Update patch.

To install the Outlook E-mail Security Update patch for Outlook 2000 SR-1 or earlier, visit the following Microsoft Web site:
http://http://www.microsoft.com/downloads/details.aspx?FamilyID=96DF48A9-7638-429E-816E-35F16F6528CA&displaylang=EN (http://www.microsoft.com/downloads/details.aspx?FamilyID=96DF48A9-7638-429E-816E-35F16F6528CA&displaylang=EN)
5.You can also configure Microsoft Outlook Express 6 to block access to potentially damaging attachments.For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
291387 (http://support.microsoft.com/kb/291387/EN-US/) OLEXP: Using Virus Protection Features in Outlook Express 6
6.You can use a program-level firewall to protect you from being infected with this virus through Web-based e-mail programs.

Back to the top

Recovery

If your computer has been infected with this virus, contact Microsoft Product Support Services or your preferred antivirus vendor for help with removing the virus. For information about contacting Microsoft Product Support Services, visit the following Microsoft Web site:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS (http://support.microsoft.com/default.aspx?scid=fh;en-us;cntactms)

Back to the top

REFERENCES

Related Security Information

For additional information about viruses, visit the following Symantec Web site:
http://securityresponse.symantec.com/avcenter/venc/data/w32.chir.b@mm.html (http://securityresponse.symantec.com/avcenter/venc/data/w32.chir.b@mm.html)
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

For additional security-related information about Microsoft products, visit the following Microsoft Web site:
http://www.microsoft.com/athome/security/default.mspx (http://www.microsoft.com/athome/security/default.mspx)

Back to the top

APPLIES TO
Microsoft Windows 2000 Server

Back to the top

Keywords: 
kbdownload kbinfo kbsecantivirus kbvirus KB327203

Back to the top

Article Translations

 

Related Support Centers

Other Support Options

  • Contact Microsoft
    Phone Numbers, Support Options and Pricing, Online Help, and more.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.