Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:Win32.Worm.Chod.A, Backdoor.Win32.VB.aam, Trojan.Vb.Aam, Win32/VB.NBO
Type:Worm 
Size:152.292 Bytes 
Origin: 
Date:03-14-2005 
Damage: 
VDF Version:6.30.00.28 
Danger:Medium 
Distribution:Medium 

General DescriptionAffected Platforms:
* Windows 95
* Windows 98
* Windows ME
* Windows NT
* Windows 2000
* Windows XP
* Windows Server 2003

Spreading Routine:
- Spreads itself over MSN Messenger.
- Spreads itself by sending emails

DistributionWorm/NoChod.A has its own SMTP Engine, in order to be able to spread itself. One of the emails sent by the worm can have different appearances. The worm makes up its email from the following elements:

- Sender(FROM): (one of the following)
security@microsoft.com
security@trendmicro.com
securityresponse@symantec.com

- SUBJECT: (one of the following)
Warning - you have been infected!
Your computer may have been infected

- BODY:
Your message was undeliverable due to the following reason(s):Your message could not be delivered because the destination server was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your original message has been attached.

- ATTACHMENT: (one of the following)
message.pif
message.scr
netsky_removal.exe
removal_tool.exe

The virus Worm/NoChod.A spreads itself over MSN-Messenger by sending itself to all the users from the contact lists, with one of the following messages:

lol check this out, it freaked me out :S
LOL! look at this, I can't explain it in words...
omg check this out, it's just wrong :O
ROFL!! you have to see this... wtf...
you have to see this, it's amazing!

It tries to send a file to every user from the contact list of the MSN-Messenger, with one of the following filenames:

awesome
gross
mypic
naked lesbian twister
paris hilton
picture
us together

The filenames can have one of the following extensions:

.exe
.scr

Technical DetailsIf Worm/NoChod.A is executed, it copies itself in the following directories with the following filenames:

c:\cmsn\naked lesbian twister.scr
c:\cmsn\awesome.pif
c:\cmsn\gross.pif
c:\cmsn\mypic.pif
c:\cmsn\omg.pif
c:\cmsn\paris hilton.scr
c:\cmsn\picture.scr
c:\cmsn\rofl.scr
c:\cmsn\us together.scr
c:\cmsn\wtf.scr
%SystemDIR%\<%random%>csrss.exe
%SystemDIR%\<%random%>csrss.dat
%SystemDIR%\<%random%>csrss.ini
%SystemDIR%\cpu.dll
%userprofile%\Start Menu\Programs\Startup\csrss.lnk (versteckt) (Link zu SystemDIR%\<%random%>csrss.exe)

The following message is displayed:

The virus Worm/NoChod.A connects to the following IRC servers:

- chode.no-ip.info:6667
- ch0de.ath.cx:6667
and joins the channel #.firefawks using a specific password.

The worm creates the following entries in the Windows Registry:

[HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000002
"SuperHidden"=dword:00000000
"ShowSuperHidden"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"="1"
"NoAdminPage"="1"

The following entries are deleted from the Windows registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]
"CleanUp"=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]
"MCAgentExe"=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]
"MCUpdateExe"=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]
"VirusScan Online"=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]
"VSOCheckTask"=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]
"ccApp"=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]
"MCAgentExe"=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]
"MCUpdateExe"=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]
"SmcService"=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]
"Outpost Firewall"=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]
"gcasServ"=

The Worm/NoChod.A is able to terminate the following processes:

- bbeagle.exe
- ccapp.exe
- ccevtmgr.exe
- ccproxy.exe
- ccsetmgr.exe
- d3dupdate.exe
- enterprise.exe
- gcasdtserv.exe
- gcasserv.exe
- hijackthis.exe
- i11r54n4.exe
- irun4.exe
- isafe.exe
- issvc.exe
- kav.exe
- kavsvc.exe
- mcagent.exe
- mcdash.exe
- mcinfo.exe
- mcmnhdlr.exe
- mcshield.exe
- mcvsescn.exe
- mcvsftsn.exe
- mcvsshld.exe
- mpfagent.exe
- mpfservice.exe
- mpftray.exe
- msblast.exe
- msconfig.exe
- mscvb32.exe
- mskagent.exe
- mwincfg32.exe
- navapsvc.exe
- navapw32.exe
- navw32.exe
- npfmntor.exe
- outpost.exe
- pandaavengine.exe
- penis32.exe
- regedit.exe
- smc.exe
- sndsrvc.exe
- spbbcsvc.exe
- symlcsvc.exe
- sysinfo.exe
- sysmonxp.exe
- teekids.exe
- usrprmpt.exe
- vsmon.exe
- wincfg32.exe
- winsys.exe
- winupd.exe
- zapro.exe
- zlclient.exe

It also modifies the HOSTS file. The following values are added to the file, in order to deny the access to the following websites:

127.0.0.1 localhost
127.0.0.1 avp.com
127.0.0.1 www.avp.com
127.0.0.1 ca.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 fastclick.net
127.0.0.1 ftp.f-secure.com
127.0.0.1 ftp.sophos.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.awaps.net
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www3.ca.com
127.0.0.1 www.grisoft.com
127.0.0.1 grisoft.com
127.0.0.1 housecall.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 pandasoftware.com
127.0.0.1 kaspersky.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.zonelabs.com
127.0.0.1 zonelabs.com
127.0.0.1 phpbb.com
127.0.0.1 www.phpbb.com
127.0.0.1 www.spywareinfo.com
127.0.0.1 spywareinfo.com
127.0.0.1 www.merijn.org
127.0.0.1 merijn.org
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .