Virus Detail

Win32.Chopemail

Date Published:
10 Jan 2005

Last Updated:
11 Jan 2005

Threat Assessment

Overall Risk: Very Low

Wild: Low

Destructiveness: Low

Pervasiveness: None

Characteristics

Type : Trojan

Category : HTMLWin32

Also known as: HotWorld (McAfee), Win32.Chopemail.A, HTML.Chopemail.A, HTML.Chopemail.B, Win32.Chopemail.B, HTML/Chopemail.B.Trojan, HTML_CONYC.A (Trend), Troj/ConycSp-A (Sophos), TROJ_CONYCSPA.A (Trend), Win32/Conycspa.A.Trojan, W32.Conycspa@mm (Symantec), Trojan.Win32.Conycspa.a (Kaspersky), Trojan.Win32.Delf.gq (Kaspersky)

Immediate Protection Info

Signature	Product	Removal Instructions
11.x/8848	eTrust Antivirus v7/8* (Vet Engine)	View
6.1x/5991	eTrust EZ Antivirus 6.1x	View
6.2x/8848	eTrust EZ Antivirus 6.2x	View
6.3x/8848	eTrust EZ Antivirus 6.3x	View
6.4x/8848	eTrust EZ Antivirus 6.4x	View
7.x/8848	eTrust EZ Antivirus 7.x	View
10.5x/5991	Vet Anti-Virus 10.5x	View
10.6x/8848	Vet Anti-Virus 10.6x	View

Tools

Signature file information

Scan for viruses

Submit a Virus Sample

Description

Payload

Description

Win32.Chopemail is a trojan that sends e-mail containing a link to a malicious web page that attempts to exploit various Internet Explorer vulnerabilities in order to download another trojan onto the affected machine, namely Win32.Chopenoz.

Payload

Sends E-mail

When executed, Chopemail searches for e-mail addresses stored on the local system. It does this by opening each user's personal folder on the system. It opens this directory and then every sub-folder within this directory: (each sub-folder corresponds to a user of the system):

<Windows Drive>\Documents and settings\

Note: <Windows Drive> is usually C:\ (or which ever drive the Windows Operating system has been installed to).

E-mail addresses are written to the file %Windows%\s.txt

Note: '%Windows%' is a variable location. The trojan determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.

Chopemail creates the following 3 files in the %Windows% directory and uses them to perform MX lookups:

IN
OUT
RUN.bat

After this, it sends an e-mail to the user's mail-server. The e-mail are in HTML format. At the time of publishing, CA had received reports of two different variants in the wild. While each variant is very similar in function, the e-mail they send have a slightly different format:

E-mail sent by Win32.Chopemail.A:

From:
girl@worldgirls.com

Subject:
Re: hot pics

Body:
Hello, mate!
Just found this hot teen girl, if you want you can see here:
http://www.nude-teens-bodies.com/girl/
sweet body and hot tits!

reply me what you think about

The e-mail also contains a hidden IFrame which gets its content from the http://conyc.com/ domain. Please see an example of the e-mail below:

E-mail sent by Win32.Chopenoz.B:

From:
girl@bestearthgirls.com <girl@bestearthgirls.com>

Subject:
Re: hot pics

Body:
Hello, mate!
Just found this hot teen girl, if you want you can see here:
http://cn.to/troom
sweet body and hot tits!

reply me what you think about

The e-mail also contains a hidden IFrame which gets its content from the http://cn.to/troom domain.

We expect future variants to use a similar e-mail structure.

The link that the e-mail points to has been designed to exploit un-patched versions of Internet Explorer using multiple vulnerability exploits. If one of the attacks are successful the system is infected with a Win32.Chopenoz variant.

The embedded IFrame may also compromise unpatched machines, this is dependent on what content is given by the webserver (which obviously may be subject to change).