Malware type: Worm

Aliases: W32/NoChod@MM (McAfee), W32.Chod@mm (Symantec), Worm/NoChod.A (Avira), W32/Chode-A (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Description: 

As of March 13, 2005, 2:51 PM PST (Pacific Standard Time, GMT -8:00), TrendLabs has received several infection reports of this new worm spreading in the US.

This worm may arrive via email or the instant messaging application MSN Messenger. To propagate via email, it searches for target email recipients from files with certain file name extensions. It then sends copies of itself as attacment to email messages it sends to found email addresses. The email message it sends may have any of the following details:

From: (any of the following)
•security@microsoft.com
•security@trendmicro.com
•securityresponse@symantec.com

Subject: (any of the following)
•Warning - you have been infected!
•Your computer may have been infected

Message Body:
Your message was undeliverable due to the following reason(s):

Your message could not be delivered because the destination server was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now.

Your original message has been attached.

Attachment: (any of the following)
•message.pif
•message.scr
•netsky_removal.exe
•removal_tool.exe

This worm also propagates via the instant messaging application MSN Messenger. It sends copies of itself to all availabe MSN Messenger contacts as any of the following files:

• awesome
• gross
• mypic
• naked lesbian twister
• paris hilton
• picture
• us together

The file can have any of the following extension names:

• .exe
• .scr

It sends the copy of itself along with any of the following messages:

• lol check this out, it freaked me out :S
• LOL! look at this, I can't explain it in words...
• omg check this out, it's just wrong :O
• ROFL!! you have to see this... wtf...
• you have to see this, it's amazing!

It modifies the HOSTS file to prevent access to antivirus-related Web sites. It also disables firewall on affected systems. is also capable of disabling several other services.

This worm has backdoor capabilities. It connects to a remote IRC server and joins a specific IRC channel, where it listens for commands coming from a remote malicious user. It executes these commands locally on an affected system, proving the remote user virtual control over the system.

It allows remote malicious users to launch denial of service attacks against a target site.

This worm contains an embedded password-recovery tool, which is capable of stealing passwords from various instant messaging applications.

For additional information about this threat, see:
Solution
Technical Details

Description created: Mar. 13, 2005 5:36:12 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.