Virus Alert About the "W32.Chir.B@mm" Virus (327203)

MORE INFORMATION

This worm uses both IFRAME and MIME exploits to run on your computer. Because of this, you might run the worm just by previewing the e-mail message in your e-mail program. The worm sends itself as a Pp.exe file to all of the e-mail addresses that it finds. The e-mail message has the following characteristics: The worm uses its own SMTP engine to send itself to e-mail addresses. The SMTP server that the worm uses is a static server. This means that if a specific SMTP server is not running, the worm cannot spread.

W32.Chir.B@mm also searches all local and network drives, and infects files that have .htm, .html, .exe, and .scr extensions.

W32.Chir.B@mm infects HTML files in a similar manner as W32.Nimda.A@mm. W32.Chir.B@mm first creates a Readme.eml file in the folder in which the HTML file is located. The Readme.eml file is the MIME-encoded body of the virus. The virus then modifies the HTML file to open the Readme.eml file when the HTML file is viewed. This modification functions only if JavaScript is turned on.

Prevention

1. Block potentially damaging attachment types at your Internet mail gateways.
2. This virus uses a previously announced vulnerability as part of its infection method. Because of this, you must make sure that your computers are patched for the vulnerability that is identified in Microsoft Security Bulletin MS01-020. For more information about this bulletin, visit the following Microsoft Web site:

   http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

3. Obtain the most recent cumulative security patch for Microsoft Internet Explorer. The patch includes fixes for the vulnerabilities that were announced in Microsoft Security Bulletin MS01-020. For more information, visit the following Microsoft Web site:

   http://www.microsoft.com/technet/security/bulletin/MS02-023.mspx

4. If you are using Microsoft Outlook 2000 Service Release 1 (SR-1) or earlier, install the Outlook E-mail Security Update patch to prevent this virus (and the majority of other viruses that are borne by e-mail messages) from running.
   
   Outlook 2000 Service Pack 2 (SP2) and Microsoft Outlook 2002 automatically contain the functionality that is contained in the Outlook E-mail Security Update patch.
   
   To install the Outlook E-mail Security Update patch for Outlook 2000 SR-1 or earlier, visit the following Microsoft Web site:

   http://http://www.microsoft.com/downloads/details.aspx?FamilyID=96DF48A9-7638-429E-816E-35F16F6528CA&displaylang=EN

5. You can also configure Microsoft Outlook Express 6 to block access to potentially damaging attachments.For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

   291387 OLEXP: Using Virus Protection Features in Outlook Express 6

6. You can use a program-level firewall to protect you from being infected with this virus through Web-based e-mail programs.

Recovery

If your computer has been infected with this virus, contact Microsoft Product Support Services or your preferred antivirus vendor for help with removing the virus. For information about contacting Microsoft Product Support Services, visit the following Microsoft Web site: