Threat Description

Chet

Details

Category: Malware
Platform: W32
Aliases: Chet, W32/Chet@MM, Anniv911, 11september, September11

Summary


This mass-mailer worm was found on September 10th, 2002. As it contains serious bugs, this worm will fail to function on most systems and can not be considered to be a realistic threat at this time.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


Many things inside the worm's code suggest that it originates from Russia.

The worm tries to spread via an attachment file called 11september.exe. When this file is executed, the worm will attempt to send the following e-mail to each address found from the Windows address book:

 From: main@world.com     To: all-people-in-the-address-book     Subject:  All people!!     Attachment: 11september.exe    Dear ladies and gentlemen!     The given letter does not contain viruses, and is not Spam.     We ask you to be in  earnest to this letter. As you know America and     England have begun bombardment of  Iraq, cause of its threat for all the world.     It isn't the truth. The real reason is  in money laundering and also to cover up traces     after acts of terrorism  September, 11, 2001. Are real proofs of connection between     Bush and Al-Qaeda  necessary for you? Please! There is a friendly dialogue between     Bin Laden and the secretary of a state security of USA in the given photos.     In the following photo you'll see, how FBI discusses how to strike over New York to lose     people as much as possible. And the document representing the super confidential     agreement between CIA and Al-Qaeda is submitted to your attention. All this     circus was specially played to powder brains!! You'll find out the truth.     Naked truth, instead of TV showed.    For your convenience, and to make letter less, all documentary materials     (photos and MS Word documents) are located in one EXE file.  Open it, and all materials will be     installed on your computer. You will receive the  freshest and classified     documents automatically from our site.     It isn't a virus! You can trust us absolutely. We hope, that it will open your     eyes on many things occurring in this world.  

Please note that the screenshot was taken in a laboratory environment. The worm is unable to spread in normal conditions.

When Chet sends the infected messages it also collects information about the infected computer and the current user. All the collected data is sent to a predefined e-mail address to Russia.

System infection

When the worm is first executed on a computer it copies itself to the Windows System Directory as 'synchost1.exe'. This file is then added to the registry as

'HKLU\Software\Microsoft\Windows\CurrentVersion\Run\ICQ1'  

Chet stores some of its internal data in a registry key:

'HKLU\DefaultLcid2'  

After 13th of September, 2002 the worm commits suicide and removes itself from the infected computer.

Payload

If the infected computer has a modem the worm tries to call a predefined phone number. The number most likely a local number in some country. The owner of the number is unknown, so it the purpose of the call.

Since the worm crashes relatively early this routine is never activated.



Detection


Detection in F-Secure Anti-Virus was published on September 11th, 2002:

Detection Type: PC
Database: 2002-09-11_02



Technical Details:Gergely Erdelyi and Sami Rautiainen; F-Secure Corp; September 10-11, 2002


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More