|
|
I-Worm.Ronoper. Viruses Information
| Name: |
I-Worm.Ronoper. |
| Category: |
Viruses |
| Description:
|
Details
I-Worm.Ronoper.a
Ronoper is a worm virus spreading via the Internet as an attachment to infected emails. The worm has a primitive backdoor routine and is able to download and install other trojan files.
The worm itself is a Windows PE EXE file about 16KB in length when compressed by UPX, the decompressed size is approx. 50KB; it is written in Delphi.
Infected messages have the following attributes:
Subject: Re: Body: I Hope you reply me. Thank you very much for reading my msg Bye. Attach: WinCfg32.exe
The worm is activated from infected emails only when a user clicks on the attached file. Once run the worm installs itself to the system and runs its spreading routine and backdoor.
Installing
During installation the worm copies itself to Windows directory under the name "WinCfg32.exe" and registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
WinCfg32 = %WinDir%WinCfg32.exe
Spreading Backdoor
The backdoor routine connects to a machine (located somewhere in Turkey) and listens for its "master's" instructions. Such instructions can include:
- reports system information
- reboots machine
- joins "ronop" IRC channel
Other
The 'Ronoper' worm downloads an EXE file from the http://www.kamerali.com site, stores it to TEMP directory under the name "security.exe" and executes it.
By doing this the worm is able to install trojan programs onto infected machines. |
Top Viruses Visited Pages:
Invader. - 229 visits
not-a-virus:RiskWare.Tool.RegPatch. - 69 visits
Worm.P2P.Harex. - 63 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 55 visits
Small.58. - 55 visits
Coito.64 - 53 visits
I-Worm.Mapson. - 45 visits
Win16.Klon.1177 - 40 visits
Win32.Hidra - 40 visits
Marine.500 - 34 visits
Random Viruses Pages:
GERD.79
LptOff Famil
Macro.Word.Quee
DogLasi.153
NoHook.4
GD.53
Macro.Word97.Mxfile
Macro.Word.Emplo
Xabaras.197
Fasola.221
|
|
