PE_Chir.B-O

This memory-resident file infector propagates by sending copies of itself to all addresses listed in the target user's Windows Address Book (WAB). It sends an email with the following format:

From: imissyou@btmail.net.cn
Subject: {user name} is comming!
Message: {blank}
Attachment: PP.EXE

It exploits the following vulnerability affecting systems running Microsoft Internet Explorer 5.01 and 5.5:

Incorrect MIME Header Can Cause IE to Execute Email Attachment

The said exploit allows the automatic execution of email attachments without the user's consent. For more information, visit the following Microsoft Web page:

Microsoft Security Bulletin (MS01-020)

If the infected system is connected to a network, this file infector also drops copies of its UUEncoded version in shared folders with read and write access. It drops these copies to machines belonging to the same workgroup as that of the infected system.

It infects all files with the following extensions:

• EXE
• SCR
• HTM
• HTML

On the 1st day of the month, it overwrites the first 4,660 Bytes of files with the following extensions:

• ADC
• R.DB
• DOC
• XLS

This file infector is the mother file of PE_CHIR.B.

Related Items