Chick | |
---|---|
Type | Multiple vector worm |
Creator | |
Date Discovered | 2002.02.19 |
Place of Origin | |
Source Language | Visual Basic |
Platform | |
File Type(s) | .chm |
Infection Length | 10,622 bytes |
Reported Costs |
Chick, also known as Brit or Britney is a mass-mailing worm from 2002. Its original variant and several others, promising pictures of pop star Britney Spears, is one of many celebrity-themed email worms from this year. This one spreads through both Email and IRC. It arrives as a Microsoft Compiled HTML Help file, commonly used for ebooks and online documentation. Chick never made the top 10 virus/worm charts, partly because it did not mass-mail itself.
Behavior
Chick may arrive in an email with a subject of "RE: Britney Pics". The body will be "Take a look at these pics … Regards," with the name of the current user. The attachment will be "BRITNEY.CHM", though this is variable, so there is a possibility it might be something else. It may also come as an attachment in a mIRC session with the same name. This is a compiled HTML file with a VBS script.
![]() |
|
The "Free Britney Pics !!!!" text scrolls to the left. |
---|
When the attachment is executed, it opens the CHM file viewer and encourages the user to enable ActiveX allegedly to view the pictures. The worm requires ActiveX to be activated to run any further. If the user chooses to enable ActiveX, the worm script will run.
It looks for the file "script.ini" in drives, C:, D: and E: in the mIRC installation folder and replaces it with its own copy. It then sends a copy through IRC, usually with the file name BRITNEY.CHM. It creates a registry key "chm" under a local machine registry key to mark the system as infected. It sends a copy of itself through Outlook to the first email in the address book.
Variants
Chick produced several variants (most antivirus products report up to Chick.K), the general theme of all of them seems to be naked celebrities. Chick.G promises the results of the Korea/Japan World Cup championship game.
Effects
The worm failed to make many top 10 list for popular malware. While the .chm extension whose icon looks like something that will be read and not executed should have aided its spreading, a few other factors may have contributed to the worm failing to spread very far. The fact that it did not mass-mail itself like many of its contemporaries was a factor inhibiting the spread. Also, the fact that it requires so much help from the user to spread did not help it, as a user might be smart enough to think something must be up if one must go through so many steps just to see some pictures. Some antivirus researchers however, warned that this is not necessarily a sign that users are getting smarter.
Sources
Katrin Tocheva, Sami Rautiainen. F-Secure Antivirus, F-Secure Virus Descriptions : Chick
John Leyden. The Register, Britney Spears virus fails to chart. 2002.03.04