W32.Chod.S

W32.Chod.S is a worm that can reduce security settings on the infected computer. The worm will spread via Microsoft Instant Messenger as malicious links sent to contacts gathered on  compromised system. W32.Chod.S also opens a backdoor that will give remote attacker to gain unauthorized access on victim’s PC. It can block access to legitimate security web sites by modifying entries on Windows hosts file.

Damage Level: Medium

Systems Affected: Windows 9x, ME, 2000, XP, Vista

How to Remove W32.Chod.S:

FIRST AID TO STOP W32.Chod.S:
If this worm have infected the system, registry and legitimate Windows files are also compromised. System Restore can reinstate clean system files by restoring the configuration to an earlier date. If a restore point was created before you got infected with W32.Chod.S, please restore Windows to previous configuration.

MANUAL REMOVAL OF W32.Chod.S:
1. Update installed anti-virus application to have the latest definition file.
2. Reboot Windows in Safe Mode
– After turning on the power, press F8 on the keyboard.
– Select Safe Mode from the menu.

3. Thoroughly scan the system and clean/delete all infected file(s). Please see below.
4. Delete/Modify any values added to the registry if present. Refer to associated Windows Registry Entries.
– Click on Start. Search or Run regedit.exe to begin registry editor.

Note: You may refer to Tools & Resources area for a complete tutorial on Safe Mode and Registry Editor.

5. Exit registry editor and restart Windows.

ADDITIONAL TOOLS AND PROGRAMS:

Scan with Norton Power Eraser:
A free removal tool from Norton Antivirus was developed to remove virus and unfamiliar threats without using the traditional AV signatures. Download the tool from this location and start scanning the computer for viruses.

Technical Details and Additional Information:

Other functionalities of this Worm:
– W32.Chod.S will end any running security-related process.
– The worm also disables Windows Firewall and Windows Security Center.
– Opens a backdoor and accept remote commands.

Malicious Files Added by W32.Chod.S:
%SystemDrive%\Documents and Settings\Administrator\Start Menu\Programs\Startup\csrss.lnk
%Windir%\system\[RANDOM FOLDER NAME]\csrss.exe
%Windir%\system\[RANDOM FOLDER NAME]\csrss.ini
%Windir%\system\[RANDOM FOLDER NAME]\l
%System%\netstat.com
%System%\taskkill.com

File Location for Windows Versions:

  • %System% for all versions of Windows it is located under C:\Windows\System32
  • %Windir% refers to the installation folder of the operating system.

Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”csrss” = “”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”csrss” = “”
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\”run” = “C:\WINDOWS\system\[RANDOM FOLDER NAME]\csrss.exe”

Leave a Reply

Your email address will not be published. Required fields are marked *