Content

W32/NoChod@MM

Type
Virus
SubType
Internet Worm
Discovery Date
03/13/2005
Length
152,292 bytes (MEW packed)
Minimum DAT
4446 (03/14/2005)
Updated DAT
5152 (10/30/2007)
Minimum Engine
5.1.00
Description Added
03/14/2005
Description Modified
03/14/2005 6:28 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This detection is for a worm written in Visual Basic (and subsequently packed with MEW) that bears the following characteristics:

  • propagates via email
    • constructing messages using its own SMTP engine
    • target email addresses are extracted from the victim machine
  • propagates via MSN instant messenger
  • propagates via P2P networks
  • provides backdoor functionality
    • connects to remote IRC server to await command
    • many functions available to hacker including:
      • manipulate filesystem, Registry, running processes
      • retrieve system information (data, passwords)
      • issue flood attacks (TCP, UDP, SMTP, HTTP)
      • download and run another file
  • terminate security applications (processes and services) running on victim machine
  • modify local hosts file to disable updating of various security applications

Symptoms

  • Existence of the Registry keys detailed below
  • Unexpected termination of various security application(s) (terminating processes and services)
  • Modification of local hosts file, redirecting many remote domains (security related) to localhost (127.0.0.1)
  • The backdoor functionality could be used by the hacker to download and run a remote file. Thus it can be used to compromise the victim machine, the symptoms for which would be very varied.
  • The worm also attempts to retrieve passwords from the victim machine

Method of Infection

This worm copies itself into a folder of random name within the Windows system directory as CSRSS.EXE. For example:

  • C:\WINDOWS\System32\HJIHXUOI\CSRSS.EXE

Two other files are also created in this folder - data files used by the worm in its propagation (CSRSS.INI and CSRSS.DAT).

The following Registry keys are added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Run "csrss" = %SysDir%\HJIHXUOI\CSRSS.EXE
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT
    \CurrentVersion\Windows "run" = %SysDir%\HJIHXUOI\CSRSS.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    \CurrentVersion\Run "csrss" = %SysDir%\HJIHXUOI\CSRSS.EXE
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT
    \CurrentVersion\Windows "load" = %SysDir%\HJIHXUOI\CSRSS.EXE

The following keys are also added:

  • HKEY_CURRENT_USER\Software\Chode
  • HKEY_CLASSES_ROOT\Chode

The worm modifies several Registry keys in order to hinder detection/cleanup processes. The following keys are set:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Policies\System "DisableRegistryTools" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Policies\System "NoAdminPage" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Explorer\Advanced "Hidden" = 02, 00, 00, 00

Mail Propagation

The worm harvests target email addresses from the victim machine and spoofs the From: address of sent messages. The messages are constructed as follows:

From: Spoofed, with one of the following:

  • security@microsoft.com
  • security@trendmicro.com
  • securityresponse@symantec.com

Subject: One of the following:

  • Warning - you have been infected!
  • Your computer may have been infected

Body:

Attachment: Copy of the worm with one of the following filenames:

  • netsky_removal.exe
  • removal_tool.exe
  • message.pif
  • message.scr

IM Propagation

The worm also attempts to propagate via MSN Instant Messenger, sending itself to all contacts using one of the following filenames with a .PIF or .SCR extension:

  • naked lesbian twister
  • paris hilton
  • rofl
  • us together
  • picture
  • gross
  • mypic
  • awesome

One of the following texts is included in the message:

  • lol check this out, it freaked me out :S
  • LOL! look at this, I can't explain it in words...
  • omg check this out, it's just wrong :O
  • ROFL!! you have to see this... wtf...
  • you have to see this, it's amazing!
  • holy shit you have to see this... :|
  • I just found this on a CD... you won't believe it! :|
  • dude check this out, it's awesome! :D
  • some random chick just sent me her picture, check it out ;)
  • haha you have to see this, I almost couldn't believe it! :O

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • Backdoor.Win32.VB.aam (Kaspersky)
  • W32.Chod@mm (Symantec)
  • W32/Tobecho.A.worm (Panda)
  • WORM_CHOD.A (Trend)

Characteristics

Characteristics -

This detection is for a worm written in Visual Basic (and subsequently packed with MEW) that bears the following characteristics:

  • propagates via email
    • constructing messages using its own SMTP engine
    • target email addresses are extracted from the victim machine
  • propagates via MSN instant messenger
  • propagates via P2P networks
  • provides backdoor functionality
    • connects to remote IRC server to await command
    • many functions available to hacker including:
      • manipulate filesystem, Registry, running processes
      • retrieve system information (data, passwords)
      • issue flood attacks (TCP, UDP, SMTP, HTTP)
      • download and run another file
  • terminate security applications (processes and services) running on victim machine
  • modify local hosts file to disable updating of various security applications

Symptoms

Symptoms -

  • Existence of the Registry keys detailed below
  • Unexpected termination of various security application(s) (terminating processes and services)
  • Modification of local hosts file, redirecting many remote domains (security related) to localhost (127.0.0.1)
  • The backdoor functionality could be used by the hacker to download and run a remote file. Thus it can be used to compromise the victim machine, the symptoms for which would be very varied.
  • The worm also attempts to retrieve passwords from the victim machine

Method of Infection

Method of Infection -

This worm copies itself into a folder of random name within the Windows system directory as CSRSS.EXE. For example:

  • C:\WINDOWS\System32\HJIHXUOI\CSRSS.EXE

Two other files are also created in this folder - data files used by the worm in its propagation (CSRSS.INI and CSRSS.DAT).

The following Registry keys are added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Run "csrss" = %SysDir%\HJIHXUOI\CSRSS.EXE
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT
    \CurrentVersion\Windows "run" = %SysDir%\HJIHXUOI\CSRSS.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    \CurrentVersion\Run "csrss" = %SysDir%\HJIHXUOI\CSRSS.EXE
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT
    \CurrentVersion\Windows "load" = %SysDir%\HJIHXUOI\CSRSS.EXE

The following keys are also added:

  • HKEY_CURRENT_USER\Software\Chode
  • HKEY_CLASSES_ROOT\Chode

The worm modifies several Registry keys in order to hinder detection/cleanup processes. The following keys are set:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Policies\System "DisableRegistryTools" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Policies\System "NoAdminPage" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Explorer\Advanced "Hidden" = 02, 00, 00, 00

Mail Propagation

The worm harvests target email addresses from the victim machine and spoofs the From: address of sent messages. The messages are constructed as follows:

From: Spoofed, with one of the following:

  • security@microsoft.com
  • security@trendmicro.com
  • securityresponse@symantec.com

Subject: One of the following:

  • Warning - you have been infected!
  • Your computer may have been infected

Body:

Attachment: Copy of the worm with one of the following filenames:

  • netsky_removal.exe
  • removal_tool.exe
  • message.pif
  • message.scr

IM Propagation

The worm also attempts to propagate via MSN Instant Messenger, sending itself to all contacts using one of the following filenames with a .PIF or .SCR extension:

  • naked lesbian twister
  • paris hilton
  • rofl
  • us together
  • picture
  • gross
  • mypic
  • awesome

One of the following texts is included in the message:

  • lol check this out, it freaked me out :S
  • LOL! look at this, I can't explain it in words...
  • omg check this out, it's just wrong :O
  • ROFL!! you have to see this... wtf...
  • you have to see this, it's amazing!
  • holy shit you have to see this... :|
  • I just found this on a CD... you won't believe it! :|
  • dude check this out, it's awesome! :D
  • some random chick just sent me her picture, check it out ;)
  • haha you have to see this, I almost couldn't believe it! :O

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A