Windows 2000, Windows XP, Windows Server 2003
CHIR is a family of file infectors that propagate through email by mass-mailing a copy of itself as an attachment. It also exploits MIME header vulnerability that can cause Internet Explorer browsers to execute the email attachment. Most variants can also infect files that can be used to automatically execute its copy.
This file infector drops the following copies of itself into the affected system:
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
This file infector adds the following registry entries to enable its automatic execution at every system startup:
Runonce = "%System%\runouce.exe"
Other System Modifications
This file infector adds the following registry keys as part of its installation routine: