W32.Chod.S

W32.Chod.S is a worm that can reduce security settings on the infected computer. The worm will spread via Microsoft Instant Messenger as malicious links sent to contacts gathered on  compromised system. W32.Chod.S also opens a backdoor that will give remote attacker to gain unauthorized access on victim’s PC. It can block access to legitimate security web sites by modifying entries on Windows hosts file.

Damage Level: Medium

Systems Affected: Windows 9x, ME, 2000, XP, Vista

How to Remove W32.Chod.S:

FIRST AID TO STOP W32.Chod.S:
If this worm have infected the system, registry and legitimate Windows files are also compromised. System Restore can reinstate clean system files by restoring the configuration to an earlier date. If a restore point was created before you got infected with W32.Chod.S, please restore Windows to previous configuration.

MANUAL REMOVAL OF W32.Chod.S:
1. Update installed anti-virus application to have the latest definition file.
2. Reboot Windows in Safe Mode
- After turning on the power, press F8 on the keyboard.
- Select Safe Mode from the menu.

3. Thoroughly scan the system and clean/delete all infected file(s). Please see below.
4. Delete/Modify any values added to the registry if present. Refer to associated Windows Registry Entries.
- Click on Start. Search or Run regedit.exe to begin registry editor.

Note: You may refer to links on sidebar for a complete tutorial on Safe Mode and Registry Editor.

5. Exit registry editor and restart Windows.

ADDITIONAL TOOLS AND PROGRAMS:

Scan with Norton Power Eraser:
A free removal tool from Norton Antivirus was developed to remove virus and unfamiliar threats without using the traditional AV signatures. Download the tool from this location and start scanning the computer for viruses.

Technical Details and Additional Information:

Other functionalities of this Worm:
- W32.Chod.S will end any running security-related process.
- The worm also disables Windows Firewall and Windows Security Center.
- Opens a backdoor and accept remote commands.

Malicious Files Added by W32.Chod.S:
%SystemDrive%\Documents and Settings\Administrator\Start Menu\Programs\Startup\csrss.lnk
%Windir%\system\[RANDOM FOLDER NAME]\csrss.exe
%Windir%\system\[RANDOM FOLDER NAME]\csrss.ini
%Windir%\system\[RANDOM FOLDER NAME]\l
%System%\netstat.com
%System%\taskkill.com

File Location for Windows Versions:

  • %System% for all versions of Windows it is located under C:\Windows\System32
  • %Windir% refers to the installation folder of the operating system.

Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”csrss” = “”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”csrss” = “”
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\”run” = “C:\WINDOWS\system\[RANDOM FOLDER NAME]\csrss.exe”

Alternative Removal Method for W32.Chod.S

Option 1 : Use Windows System Restore to return Windows to previous state

If W32.Chod.S enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before W32.Chod.S infiltrates the PC, we highly encourage you to execute this procedure if none of the above works. You may proceed with Windows System Restore, click here to see the full procedure.