Infection Channel: Infects files, Propagates via email, Propagates via software vulnerabilities
CHIR is a family of file infectors that propagate through email by mass-mailing a copy of itself as an attachment. It also exploits MIME header vulnerability that can cause Internet Explorer browsers to execute the email attachment. Most variants can also infect files that can be used to automatically execute its copy.
Memory Resident: Yes
This file infector drops the following copies of itself into the affected system:
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
This file infector adds the following registry entries to enable its automatic execution at every system startup: