Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Potential New AOL Chait Virus - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Potential New AOL Chait Virus
We have a report that a new virus may be making the rounds being distributed via AOL chat.

Details are sketchy so far but we have the following thanks to Alan and Chris.

McAfee deletes the viruses but every time the user logs of and back onto the system it regenerates the batch file.

User gets a chat via AOL

       "Checkout this JPEG" with a link

After clicking the link it sends to everyone on their buddy list and creates the file


               Contents of the file: it is set to disable MS security, firewall

Creates 3 registry entries one of which is a service

Hkey_local_machine\Software\Microsoft\Windows\Current Version\Run

               Name :Strtax    Data: lock.exe  (Delete)

Hkey_local_machine\Software\Microsoft\Windows\Current Version\Run Services

       Name :Strtax    Data: lock.exe  (Delete)

Hkey_User\Software\Microsoft\Windows\Current Version\Run Services

       Name :Strtax    Data: lock.exe  (Delete)

After deleting those three keys and a reboot the xz.bat file stopped trying to reload itself.

If you have a copy of xz.bat or lock.exe please submit it by using the contact form at


140 Posts
Sep 28th 2005

Sign Up for Free or Log In to start participating in the conversation!