Chir

Category: worm · Aliases: None known · Sample count (EMBER 2018): 99 · Enrichment: high · Updated: 2026-06-09

Overview

W32.Chir (or Runouce) is a polymorphic file infector and mass-mailing worm that targets Windows environments. Upon execution, it searches local and network drives to infect executable files (.exe, .scr) by appending its viral code to the target files. Additionally, it harvests email addresses from the compromised system (often looking through Windows Address Book and HTML files) and uses its own SMTP engine to send infected email messages to those contacts. The emails typically contain deceptive subject lines and an infected attachment designed to trick the recipient into executing the worm. To maintain persistence and ensure it runs on every boot, Chir typically drops a copy of itself in the Windows system directory (e.g., as runouce.exe) and adds a corresponding entry in the Windows Registry Run keys.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1566.001Phishing: Spearphishing AttachmentInitial Access
T1114.001Email Collection: Local Email CollectionCollection
T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderPersistence
T1059Command and Scripting InterpreterExecution
T1105Ingress Tool TransferCommand and Control

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_CHIR {
    meta:
        description = "Detects Chir (worm)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "chir" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Chir Activity
id: cad1783bdff6c9a3c33d5ac5c644b2d9
status: experimental
description: Detects generic indicators of the chir malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*chir*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Isolate the infected machine from the network immediately to prevent network drive infection and mass-mailing.
  2. Block outbound SMTP traffic (port 25, 587) from non-authorized internal hosts at the firewall.
  3. Run a full system scan using a reputable anti-malware solution capable of disinfecting (stripping) polymorphic viral code from executables.
  4. Check and remove malicious Registry Run keys pointing to dropped binaries like 'runouce.exe'.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not execute unknown or unexpected email attachments, even if they appear to come from a known contact.
  2. Do not rely solely on simple file deletion, as the worm infects legitimate executable files which must be repaired rather than deleted.

References & External Analysis

Related Families (Category: worm)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/chir.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.