Results 1 to 3 of 3

Thread: anyone heard of worm.runouce?

  1. #1
    Junior Member
    Join Date
    Jul 2002

    Question anyone heard of worm.runouce?

    does anyone know worm.runouce?and how to kill it?
    i used norton virus scanning and killed it,but the next time it appeared again,and its no use to end the virus course,what can i do(i dont want to reinstall the system)?? thx!

  2. #2
    Junior Member
    Join Date
    Jun 2002
    Most worms you should be able to get rid of after playing in your registry. BTW. MSInfo provides a wealth of information about your machine, including running programs, start-up programs, etc. It tells you the exact location of the file as well.

    Here's an extract from http://www.sophos.com/virusinfo/analyses/w32chira.html

    W32/Chir-A is an internet worm that tries to spread via email by sending itself to email addresses found in the Windows address book.

    The email will have the following characteristics:
    Sender address: <username>@hotmail.com or iloveyou@btamail.net.cn
    Subject line: Hi,i am <username>
    Attached file: p.exe

    The worm attempts to exploit a MIME and an IFRAME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express and Internet Explorer to allow the executable file to run automatically without the user double-clicking on the attachment. Microsoft has issued a patch which secures against this vulnerability which can be downloaded from Microsoft Security Bulletin MS01-027. (This patch was released to fix a number of vulnerabilities in Microsoft's software, including the one exploited by this worm.)

    When run the worm copies itself into the Windows system folder as runouce.exe (not runonce.exe) and sets the following registry entry so that the worm will be automatically started when Windows starts up:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Runonce =
    C:\<Windows system folder>\runouce.exe

    The worm also creates several EML files with the name <computername>.eml on network drives. These EML files contain a base64-encoded copy of the worm.

  3. #3
    Senior Member
    Join Date
    Feb 2002



    Here is a link to a Symantec write-up on renouce:

    The Worm

    Good luck.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts