Classification

Category :

Malware

Type :

-

Aliases :

Chet, W32/Chet@MM, Anniv911, 11september, September11

Summary

This mass-mailer worm was found on September 10th, 2002. As it contains serious bugs, this worm will fail to function on most systems and can not be considered to be a realistic threat at this time.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Many things inside the worm's code suggest that it originates from Russia.

The worm tries to spread via an attachment file called 11september.exe. When this file is executed, the worm will attempt to send the following email to each address found from the Windows address book:

 From: main@world.com

 To: all-people-in-the-address-book

 Subject:
All people!!

 Attachment: 11september.exe

Dear ladies and gentlemen!

 The given letter does not contain viruses, and is not Spam.

 We ask you to be in
earnest to this letter. As you know America and

 England have begun bombardment of
Iraq, cause of its threat for all the world.

 It isn't the truth. The real reason is
in money laundering and also to cover up traces

 after acts of terrorism
September, 11, 2001. Are real proofs of connection between

 Bush and Al-Qaeda
necessary for you? Please! There is a friendly dialogue between

 Bin Laden and the secretary of a state security of USA in the given photos.

 In the following photo you'll see, how FBI discusses how to strike over New York to lose

 people as much as possible. And the document representing the super confidential

 agreement between CIA and Al-Qaeda is submitted to your attention. All this

 circus was specially played to powder brains!! You'll find out the truth.

 Naked truth, instead of TV showed.

For your convenience, and to make letter less, all documentary materials

 (photos and MS Word documents) are located in one EXE file.
Open it, and all materials will be

 installed on your computer. You will receive the
freshest and classified

 documents automatically from our site.

 It isn't a virus! You can trust us absolutely. We hope, that it will open your

 eyes on many things occurring in this world.

Please note that the screenshot was taken in a laboratory environment. The worm is unable to spread in normal conditions.

When Chet sends the infected messages it also collects information about the infected computer and the current user. All the collected data is sent to a predefined email address to Russia.

System infection

When the worm is first executed on a computer it copies itself to the Windows System Directory as 'synchost1.exe'. This file is then added to the registry as

'HKLU\Software\Microsoft\Windows\CurrentVersion\Run\ICQ1'

Chet stores some of its internal data in a registry key:

'HKLU\DefaultLcid2'

After 13th of September, 2002 the worm commits suicide and removes itself from the infected computer.

Payload

If the infected computer has a modem the worm tries to call a predefined phone number. The number most likely a local number in some country. The owner of the number is unknown, so it the purpose of the call.

Since the worm crashes relatively early this routine is never activated.