You are currently offline, waiting for your internet to reconnect

Virus Alert About the "W32.Chir.B@mm" Virus

This article was previously published under Q327203
W32.Chir.B@mm is a network-aware, mass-mailing worm. It is also a file-infector virus. W32.Chir.B@mm is a variant of W32.Chir@mm. W32.Chir.B@mm uses its own Simple Mail Transfer Protocol (SMTP) engine to send itself to all of the e-mail addresses that it finds in the Windows Address Book (.wab file), and in .adc, r.db, .doc, and .xls files.
This worm uses both IFRAME and MIME exploits to run on your computer. Because of this, you might run the worm just by previewing the e-mail message in your e-mail program. The worm sends itself as a Pp.exe file to all of the e-mail addresses that it finds. The e-mail message has the following characteristics:
Subject: username is coming!
Attachments: Pp.exe
The worm uses its own SMTP engine to send itself to e-mail addresses. The SMTP server that the worm uses is a static server. This means that if a specific SMTP server is not running, the worm cannot spread.

W32.Chir.B@mm also searches all local and network drives, and infects files that have .htm, .html, .exe, and .scr extensions.

W32.Chir.B@mm infects HTML files in a similar manner as W32.Nimda.A@mm. W32.Chir.B@mm first creates a Readme.eml file in the folder in which the HTML file is located. The Readme.eml file is the MIME-encoded body of the virus. The virus then modifies the HTML file to open the Readme.eml file when the HTML file is viewed. This modification functions only if JavaScript is turned on.


  1. Block potentially damaging attachment types at your Internet mail gateways.
  2. This virus uses a previously announced vulnerability as part of its infection method. Because of this, you must make sure that your computers are patched for the vulnerability that is identified in Microsoft Security Bulletin MS01-020. For more information about this bulletin, visit the following Microsoft Web site:
  3. Obtain the most recent cumulative security patch for Microsoft Internet Explorer. The patch includes fixes for the vulnerabilities that were announced in Microsoft Security Bulletin MS01-020. For more information, visit the following Microsoft Web site:
  4. If you are using Microsoft Outlook 2000 Service Release 1 (SR-1) or earlier, install the Outlook E-mail Security Update patch to prevent this virus (and the majority of other viruses that are borne by e-mail messages) from running.

    Outlook 2000 Service Pack 2 (SP2) and Microsoft Outlook 2002 automatically contain the functionality that is contained in the Outlook E-mail Security Update patch.

    To install the Outlook E-mail Security Update patch for Outlook 2000 SR-1 or earlier, visit the following Microsoft Web site:
  5. You can also configure Microsoft Outlook Express 6 to block access to potentially damaging attachments.For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
    291387 OLEXP: Using Virus Protection Features in Outlook Express 6
  6. You can use a program-level firewall to protect you from being infected with this virus through Web-based e-mail programs.


If your computer has been infected with this virus, contact Microsoft Product Support Services or your preferred antivirus vendor for help with removing the virus. For information about contacting Microsoft Product Support Services, visit the following Microsoft Web site:

Related Security Information

For additional information about viruses, visit the following Symantec Web site: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

For additional security-related information about Microsoft products, visit the following Microsoft Web site:

Article ID: 327203 - Last Review: 07/30/2007 10:19:59 - Revision: 3.5

  • Microsoft Windows 2000 Server
  • kbdownload kbinfo kbsecantivirus kbvirus KB327203