Chronic virus plays Russian Roulette with your PC - News - Security

To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Australia.
--------------------------------------------------------------

Chronic virus plays Russian Roulette with your PC

By Robert Vamosi, 0
January 15, 2001
URL: http://www.zdnet.com.au/news/security/soa/Chronic-virus-plays-Russian-Roulette-with-your-PC/0,130061744,120108134,00.htm

Prevent a complex new Word 97 macro virus from randomly wiping out your system's CMOS settings.

There's a new Word macro virus going around that could soon be firing rounds at your PC.

Chronic (WM97/Chronic-A) uses a complex counting process to determine when and what specific payload to execute based on your PC's system date.

Chronic arrives as an infected Word document either by network share or via e-mail and affects users of Windows 95 and 98. Once a system is infected, Chronic will keep count of the number of times it executes.

For every 25 times the virus runs on an infected system, Chronic will execute a complex series of checks on the system date. Under certain circumstances, Chronic's payload can overwrite a system's CMOS settings. At the moment there are only a few reports of this new virus.

How Chronic works

Each time the Chronic payload runs, the first 1020 bytes of the following files are modified and the text "Karachi_y2k7" is appended to these same files:

C:\WINDOWS\SOL.EXE
C:\WINDOWS\MSHEARTS.EXE
C:\WINDOWS\FREECELL.EXE

The modifications will corrupt a file such that it will no longer work.

According to the anti-virus company Sophos, if the current system day can be divided exactly by 2, Chronic will then print between 1 and 9 copies of the current Word document.

If the current system day can be divided exactly by 3, then the first 1020 bytes of the following files are modified and the text "Karachi_y2k7" appended:

C:\WINDOWS\ROUTE.EXE
C:\WINDOWS\PING.EXE
C:\WINDOWS\SYSTEM\NETOS.DLL
C:\WINDOWS\SYSTEM\NETDI.DLL
C:\WINDOWS\SYSTEM\NETBIOS.DLL
C:\WINDOWS\SYSTEM\NETAPI.DLL
C:\WINDOWS\SYSTEM\NETAPI32.DLL

However, Chronic, can be much more sinister. If the current system day can also be divided exactly by 4, the virus will modify C:\WINDOWS\WIN.COM to contain the Trojan Troj/KillCMOS-E. This Trojan will attempt to overwrite the CMOS settings with random data and will be run the next time Windows is restarted.

If the current system day can be divided by 5 (i.e., the 5th, the 10th, the 15th), Chronic will lock the file sharing options of the current document with a password. That value may be "1297307460."

If the current system day can also be divided exactly by 6, the virus will copy C:\WINDOWS\WIN.COM to WIN.ORG and then create a new C:\WINDOWS\WIN.COM with the Trojan Troj/KillCMOS-E.

If the current system day can be divided exactly by 3 and by 6, then the first 1020 bytes of the following files are modified and the text "Karachi_y2k7" appended:

C:\WINDOWS\SYSTEM\NETCPL.CPL
C:\WINDOWS\SYSTEM\INETCPL.CPL
C:\WINDOWS\SYSTEM\MODEM.CPL
C:\WINDOWS\SYSTEM\URL.DLL
C:\WINDOWS\SYSTEM\SENDMAIL.DLL
C:\WINDOWS\SYSTEM\MAPI32.DLL
C:\WINDOWS\SYSTEM\INETCOMM.DLL
C:\WINDOWS\SYSTEM\INETCFG.DLL
C:\WINDOWS\SYSTEM\INETAB32.DLL
C:\WINDOWS\SYSTEM\INET16.DLL

If the current system day can be divided exactly by 3 and by 6 and by 9, then the following files are also affected:

C:\WINDOWS\SYSTEM\LPT.VXD
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MSPRINT.DLL
C:\WINDOWS\SYSTEM\MSPRINT2.DLL

How to remove or protect against Chronic

At the moment, only one anti-virus company, Sophos, has updated its signature files to include this virus. It is expected that other anti-virus companies will update their signature files in the coming days.

Prevention
Follow these steps to avoid the Chronic macro virus:

"Don't open attachments!" One of the best ways to prevent virus infections is not to open attachments, especially when macro viruses such as Chronic are being actively circulated. Even if the e-mail is from a known source, be careful. A few viruses take the mailing lists from an infected computer and send out new messages with its destructive payload attached. Always scan the attached files first for viruses. Unless it's a file or an image you are expecting, delete it.
Stay informed. Did you know that there are virus and security alerts almost every day?
Get protected. If you don't already have virus protection software on your machine, you should. If you're a home or individual user, it's as easy as downloading any of the programs then following the installation instructions. If you're on a network, check with your network administrator first. If you're not sure if your existing anti-virus software is up-to-date, scan your system for free to find out.
Scan your system regularly. If you're just loading anti-virus software for the first time, it's a good idea to let it scan your entire system. It's better to start with your PC clean and free of virus problems. Often the anti-virus program can be set to scan each time the computer is rebooted or on a periodic schedule. Some will scan in the background while you are connected to the Internet. Make it a regular habit to scan for viruses.
Update your anti-virus software. Now that you have virus protection software installed, make sure it's up-to-date. Some anti-virus protection programs have a feature that will automatically link to the Internet and add new virus detection code whenever the software vendor discovers a new threat.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.