W32.Chir (or Runouce) is a polymorphic file infector and mass-mailing worm that targets Windows environments. Upon execution, it searches local and network drives to infect executable files (.exe, .scr) by appending its viral code to the target files. Additionally, it harvests email addresses from the compromised system (often looking through Windows Address Book and HTML files) and uses its own SMTP engine to send infected email messages to those contacts. The emails typically contain deceptive subject lines and an infected attachment designed to trick the recipient into executing the worm. To maintain persistence and ensure it runs on every boot, Chir typically drops a copy of itself in the Windows system directory (e.g., as runouce.exe) and adds a corresponding entry in the Windows Registry Run keys.
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
| Technique | Name | Tactic |
|---|---|---|
T1566.001 | Phishing: Spearphishing Attachment | Initial Access |
T1114.001 | Email Collection: Local Email Collection | Collection |
T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Persistence |
T1059 | Command and Scripting Interpreter | Execution |
T1105 | Ingress Tool Transfer | Command and Control |
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_CHIR {
meta:
description = "Detects Chir (worm)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "chir" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Chir Activity
id: cad1783bdff6c9a3c33d5ac5c644b2d9
status: experimental
description: Detects generic indicators of the chir malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*chir*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/chir.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.