Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Email Worms

Email-Worm.Win32.Runouce.a

Aliases
Email-Worm.Win32.Runouce.a (Kaspersky Lab) is also known as: I-Worm.Runouce.a (Kaspersky Lab), W32/Chir.a@MM (McAfee),   W32.Chir@mm (Symantec),   Win32.Runonce.10799 (Doctor Web),   W32/Chir-A (Sophos),   Win32/Chir.A@mm (RAV),   WORM_CHIR.A (Trend Micro),   Worm/Runouce (H+BEDV),   W32/Thecid.A@mm (FRISK),   Win32:ChineseHack (ALWIL),   Win32/Chir.A@mm (Grisoft),   Win32.Runouce.A@mm (SOFTWIN),   Worm.Runouce.b (ClamAV),   W32/Runouce (Panda),   Win32/Chir.A (Eset)
Description added Aug 15 2002
Behavior Email Worm
Technical details
Runouce is a worm virus spreading via the Internet as an attachment to infected emails. Runouce also copies itself to shared network resources.

The Runouce worm is a Windows PE EXE file about 10KB in length and written in Assembly language.

Infected messages have the following properties:

  • Subject: Hi,i am %(Name of victim's computer)%
  • Attachment name: p.exe
  • The message body is blank.

    To run from infected messages the worm exploits the IFRAME security breach.

    Installation
    The worm copies itself to the Windows System directory under the name "Runouce.exe" and then registers this file in the following registry auto-run key:

     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  Runonce = %System%\Runouce.exe
    %System% = the Windows System directory name.

    When the Runouce is launched it creates a 'mutex' named "ChineseHacker" to avoid running multiple instances.

    Spreading
    The worm creates .EML files containing its copy in all available directories, and network resources, excluding the Windows directory. The name of the .EML files is the name of the victim's computer. For example, if the computer name is COMPUTER, the worm creates COMPUTER.EML files in that computer's directories.

    Runouce searches for victim email addresses in WAB databases and files with .ADC and R.DB extensions on all available drives except the Windows directory, and sends infected messages to these addresses. To send infected messages, the worm directly accesses the SMTP server "btamail.net.cn".

    Other
    The Runouce worm searches for files with .EXE and .SCR extensions on all fixed and remote drives, except the Windows directory, and modifies their file access time data.

    Runouce also closes programs with some Chinese titles (probably Chinese anti-virus programs).

    		•  

    Copyright © 1996 - 2010
    Kaspersky Lab
    Industry-leading Antivirus Software
    All rights reserved
     

    Email: webmaster@viruslist.com