W32/Chod.A is a mass mailing worm. The worm will infect Windows systems and spreads through email and MSN Messenger.

Mail characteristics:

The 'From' address of the infected mail will be any one of the following;

securityresponse@symantec.com
security@trendmicro.com
security@microsoft.com

The subject of the infected mail will be any one of the following;

Warning - you have been infected!
Your computer may have been infected

The infected attachment will be any one of the following;

message.pif
removal_tool.exe
netsky_removal.exe
message.scr

The body of the infected mail will be;

Your message was undeliverable due to the following reasons:

Your message could not be delivered because the destination server was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now.

Your original message has been attached.

Message Charecteristics:

The text of the infected message will be any one of the following;

lol check this out, it freaked me out :S
omg check this out, it's just wrong :O
you have to see this, it's amazing!
ROFL!! you have to see this... wtf...
LOL! look at this, I can't explain it in words...

The infected attachment will be any one of the following;

paris hilton
picture
mypic
naked lesbian twister
gross
us together
awesome

The extension of the infected attachment will be any one of the following:

exe
scr

Upon execution of the infected attachment, the worm drops cpu.dll in Windows System folder and it creates a folder with a <random name> under Windows System folder and drops following files in it.

csrss.dat
csrss.exe
csrss.ini

It also creates a shortcut csrss.lnk in the Windows Startup folder.

The worm modifies registry at the following location to load itself during each startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

The worm blocks the access to some security related websites.

Propagation through email:

The worm scans for the following extensions and collects all the available email addresses from the infected system.

adb, asp, cg, ctt, dbx, dhtm, doc, eml, htm, html, msg, oft, php, pl, rtf, sht, shtm, sql, tbb, txt, uin, vbs, wab, xml.

The worm mails itself to these addresses using its own SMTP engine.

Propagation through Messenger:

The worm sends a copy of itself to all users in the MSN Messenger contact list.

The worm tries to terminate processes of some security related software installed in infected computer.

This worm first appeared on 13th March, 2005.

 Other names of W32/Chod.A Worm:

This Worm is also known as WORM_CHOD.A, W32.Chod@mm.