Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
Win32/Chir is a family of malware. It has both worm and virus components. The worm component spreads via email and spreads by exploiting the vulnerability resolved with the release of Microsoft Security Bulletin MS01-020. The virus component infects .EXE and .SCR files in local and remote drives. It's also been known to edit .HTM and .HTML files stored in your PC so that if these files are opened, the virus is run.
The following Microsoft software detects and removes this threat:
Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.
Threat behavior
The Win32/Chir worm component spreads as an attachment to a spam email. Once run, it does the following:
Drops a file named runouce.exe to <system folder>, which might be a copy of itself
Creates the following registry value so that its dropped file automatically runs every time Windows starts: In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Sets value: "Runonce" With data: "<system folder>\runouce.exe"
Sends a copy of itself as an attachment to email addresses it finds on local and remote drives. The following are examples of the spam email it uses: Sender: <NetBIOS name of local computer>@hotmail.com Subject: Hi,i am <NetBIOS name of local computer> Attachment: p.exe
Sender: imissyou@btamail.net.cn Subject: <NetBIOS name of local computer> is coming! Attachment: PP.exe
Win32/Chir runs when the user opens the email attachment. However, it can exploit the Incorrect MIME Header vulnerability discussed in Microsoft Security Bulletin MS01-020, which can automatically open an attachment if the HTML-formatted email is read or previewed.
The Win32/Chir virus component does the following on both local and remote drives:
Infects .EXE and .SCR files
Drops a file named readme.eml in folders containing .HTM or .HTML files; this file is a copy of the spam email sent out by the worm component
Adds malicious JavaScript to the end of each .HTM and .HTML mentioned previously; if you open the .HTM or .HTML files, the JavaScript causes the readme.eml file to automatically open if JavaScript is enabled on your PC.
The following could indicate that you have this threat on your PC:
You see this entry in your registry: In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Sets value: "Runonce" With data: "<system folder>\runouce.exe"
You receive an email with the following details: Sender: <NetBIOS name of local computer>@hotmail.com Subject: Hi,i am <NetBIOS name of local computer> Attachment: p.exe
Sender: imissyou@btamail.net.cn Subject: <NetBIOS name of local computer> is coming! Attachment: PP.exe