W32/Chir.B : question for security guys

Posted By: umerh | Jul 24th, 2007 @ 4:53 PM
page 1 of 1
Comments: 2 | Views: 2804
#Jul 24th, 2007 @ 4:53 PM
umerh
umerh
hi, i dont know if this is the best place to ask the question but the problem that i am facing that i have been hit by this stupid virus W32/Chir.B@mm... my brother copied some files from other computer using a usb key to my computer...

I haved cleaned up the virus but the problem is that this virus has modified all the exe files on my computer... and at the end of every exe (if i open in notepad) have the following html code and also has some binary code in them:

MAIL FROM: imissyou@btamail.net.cn
RCPT TO: %s
DATA
FROM: %s@yahoo.com
TO: %s
SUBJECT: %s is comming!
MIME-Version: 1.0
Content-type: multipart/mixed; boundary="#BOUNDARY#"

--#BOUNDARY#
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<html><HEAD></HEAD><body bgColor=3D#ffffff><iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe></body></html>

--#BOUNDARY#
MIME-Version: 1.0
Content-Type: audio/x-wav; name="pp.exe"
Content-Transfer-Encoding: base64
Content-id: THE-CID



Now in the case of html its easy to remove this from the end part but I dont know how to change this from exe without messing up the CRC check of the exe.

Please anyone from microsoft security help me with this... I have WinXP SP2 and the time it hit my windows was fully updated!

Thanks

Umer
#Jul 25th, 2007 @ 12:38 AM
DoomBringer
DoomBringer
Doom!
I don't think executables are CRC checked at runtime -- the overhead on large (100 megs+) files would be enormous I would think (not to mention require loading all pages into memory, thus thrashing memory). 
#Jul 25th, 2007 @ 1:05 AM
RichardRudek
RichardRudek
So what do you expect for nothin'... :P
Reading the [Symantec technical description], it looks like you not only have to remove the appendage(s), but will also need to correct the PE file's header. Their removal instructions suggest that they don't even attempt to undo this, instead choosing to delete the files.

Given that Windows does have "File Protection" this may or may not work. If you've got a backup, then try it.


I'd probably use System File Checker, once I was certain that the pox wasn't running. Though you'd have to check that the SFC.EXE file wasn't infected, beforehand.
eg Start, Run: SFC /scannow

page 1 of 1
Comments: 2 | Views: 2804