Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:Win32.Worm.Chod.A, Backdoor.Win32.VB.aam, Trojan.Vb.Aam, Win32/VB.NBO
Size:152.292 Bytes 
VDF Version: 

General DescriptionAffected Platforms:
* Windows 95
* Windows 98
* Windows ME
* Windows NT
* Windows 2000
* Windows XP
* Windows Server 2003

Spreading Routine:
- Spreads itself over MSN Messenger.
- Spreads itself by sending emails

DistributionWorm/NoChod.A has its own SMTP Engine, in order to be able to spread itself. One of the emails sent by the worm can have different appearances. The worm makes up its email from the following elements:

- Sender(FROM): (one of the following)

- SUBJECT: (one of the following)
Warning - you have been infected!
Your computer may have been infected

Your message was undeliverable due to the following reason(s):Your message could not be delivered because the destination server was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your original message has been attached.

- ATTACHMENT: (one of the following)

The virus Worm/NoChod.A spreads itself over MSN-Messenger by sending itself to all the users from the contact lists, with one of the following messages:

lol check this out, it freaked me out :S
LOL! look at this, I can't explain it in words...
omg check this out, it's just wrong :O
ROFL!! you have to see this... wtf...
you have to see this, it's amazing!

It tries to send a file to every user from the contact list of the MSN-Messenger, with one of the following filenames:

naked lesbian twister
paris hilton
us together

The filenames can have one of the following extensions:


Technical DetailsIf Worm/NoChod.A is executed, it copies itself in the following directories with the following filenames:

c:\cmsn\naked lesbian twister.scr
c:\cmsn\paris hilton.scr
c:\cmsn\us together.scr
%userprofile%\Start Menu\Programs\Startup\csrss.lnk (versteckt) (Link zu SystemDIR%\<%random%>csrss.exe)

The following message is displayed:

The virus Worm/NoChod.A connects to the following IRC servers:

and joins the channel #.firefawks using a specific password.

The worm creates the following entries in the Windows Registry:

[HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Explorer\Advanced]

[HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Policies\System]

The following entries are deleted from the Windows registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]
"VirusScan Online"=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]
"Outpost Firewall"=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]

The Worm/NoChod.A is able to terminate the following processes:

- bbeagle.exe
- ccapp.exe
- ccevtmgr.exe
- ccproxy.exe
- ccsetmgr.exe
- d3dupdate.exe
- enterprise.exe
- gcasdtserv.exe
- gcasserv.exe
- hijackthis.exe
- i11r54n4.exe
- irun4.exe
- isafe.exe
- issvc.exe
- kav.exe
- kavsvc.exe
- mcagent.exe
- mcdash.exe
- mcinfo.exe
- mcmnhdlr.exe
- mcshield.exe
- mcvsescn.exe
- mcvsftsn.exe
- mcvsshld.exe
- mpfagent.exe
- mpfservice.exe
- mpftray.exe
- msblast.exe
- msconfig.exe
- mscvb32.exe
- mskagent.exe
- mwincfg32.exe
- navapsvc.exe
- navapw32.exe
- navw32.exe
- npfmntor.exe
- outpost.exe
- pandaavengine.exe
- penis32.exe
- regedit.exe
- smc.exe
- sndsrvc.exe
- spbbcsvc.exe
- symlcsvc.exe
- sysinfo.exe
- sysmonxp.exe
- teekids.exe
- usrprmpt.exe
- vsmon.exe
- wincfg32.exe
- winsys.exe
- winupd.exe
- zapro.exe
- zlclient.exe

It also modifies the HOSTS file. The following values are added to the file, in order to deny the access to the following websites: localhost
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .