Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Worm:Win32/Chir.B@mm
Detected by Microsoft Defender Antivirus
Aliases: W32.Chir.B@mm (Symantec) W32/Chir.b@mm (McAfee) WORM_CHIR.B (Trend Micro)
Summary
Win32/Chir.B@mm is both a network and e-mail worm, as well as a virus. The e-mail worm component sends a copy of itself as an e-mail attachment to addresses that it finds on local and remote drives. Win32/Chir.B@mm also exploits the Incorrect Mime Header vulnerability discussed in Microsoft Security Bulletin (MS01-020). This may cause the e-mail attachment to open automatically when the e-mail is read or previewed on susceptible systems that have not had the MS01-020 security patch installed. Win32/Chir.B@mm infects .EXE and .SCR files on local and remote drives. Win32/Chir.B@mm also drops a copy of itself named readme.eml to folders containing .HTM and .HTML files, then appends malicious JavaScript to the bottom of these .HTM* files to cause them to automatically run the infected readme.eml file when they are opened.
Win32/Chir.B@mm infects .EXE and .SCR files, copies itself as Readme.exe to local and remote drives, and appends malicious Javascript to .HTM and .HTML files. For these reasons, it is not advisable to try to remove Win32/Chir.B@mm manually. Instead, use up-to-date antivirus software to remove this and other malicious software. To remove this malicious software using antivirus software, follow these steps:
- Disconnect from the Internet.
- Run up-to-date antivirus software.
- Take steps to prevent re-infection.
Disconnect from the Internet
To help ensure that your computer is not actively infecting other computers, disconnect it from the Internet before proceeding by unplugging your network cable or disabling your wireless connection. You can reconnect to the Internet after running antivirus software.
Run up-to-date antivirus software
Run up-to-date antivirus software to remove this malicious software from your computer.
Take steps to prevent re-infection
Do not reconnect your computer to the Internet until the computer is protected from re-infection. See the "How to Prevent Infection" section for more information.