| Description:
|
Details
I-Worm.Roron.12
Roron is a worm virus spreading via the Internet as an
attachment to infected emails via network shared drives and
the KaZaa network. The worm also has an IRC-based backdoor.
The worm itself is a Windows PE EXE file about 120KB in length,
written in Microsoft Visual C++.
Installing
While installing the worm copies itself to the Windows directory
with the "rundll16.exe" name and registers this file in
system registry auto-run keys:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
LoadCurrentProfile = Rundll16.exe powprof.dll,LoadCurrentUserProfile
HKCRexefileshellopencommand
%WinDir%Rundll16.exe "%1" %*
HKCRregfileshellopencommand
%WinDir%Rundll16.exe regedit.exe "%1"
The worm also copies itself to Windows system dir and
to "Program Files" dir. To select the destination name the
worm gets random file names from victim directories, or
directory names, and adds one of random selected
extensions:
98.exe
16.exe
32.exe
For example, worm copies may have following names:
Program FilesOnline ServicesOnline Service16.exe
WindowsSystembrowseui16.exe
These files are as well registered in the Registry HKLMallRun=
keys and/or in WIN.INI file in the [windows]
section in "run=" instruction.
The worm then may display following fake message:
WinZip Self-Extractor License Confirmation
Your version of WinZip Self-Extractor is not licensed, or the license information is missing or corrupted. Please contact
the program vendor or the web site (www.WinZip.com) for additional information.
The worm also creates its data file in Windows directory, and
uses it for its internal needs (it stores its variables in
there). The file name is:
"winfile.dll"
The worm copies may be found under the following names as well
(this list is referred to later as the 'names list'):
Zip Password Recovery v4.5.exe
Star Craft 2 Trailer.exe
WWF!!_The_ROCK(sHOw).exe
cRedit CarDs gEn v1.2.exe
WinZip 8.2 (Cracked).exe
GTA 3 Bonus Cars.exe
Eminem Desktop.exe
DMX tHeMe (full).exe
NFS 5 Bonus Cars.exe
Counter Strike 1.5 (Editor).exe
Madonna - My Life (Review).exe
DivX 5.4 Bundle.exe
KaZaA Media Desktop v1.8.3.exe
Win XP key gen 2.1B.exe
Serials 2002 Update.exe
Emails
The infected messages have different Subjects, Bodies and
Attached file names (see below).
The worm activates from infected email only in case a user
clicks on attached file. The worm then installs itself to
the system, runs spreading routine and payload.
To send infected messages the worm uses Windows MAPI functions
and sends messages to all addresses found in messages from
Email boxes.
Attached file names are selected from the following variants:
Star Craft 2 Trailer.exe
WWF_The_ROCK(sHOw).exe
Sound Factory SFX.exe
Eminem Desktop.exe
DMX tHeMe (full).exe
Love Zodiak.exe
[TNT]GeN.exe
Worm Guard.exe
mTV Charts.exe
Setup.exe
mTV Charts.exe
Subjects and Message bodies are randomly selected from the
variants displayed below, where %s is one of the EXE file
names listed above. The following text is written in
Bulgarian and English.
Zdrasti..
Hey, kak varvi, neshto novo ima li :) Adski mi sa spi, daje ei sq smqtam da si legna ama purvo shte si vzema edin dush :)) Skoro shti pratq onva deto obeshtah, za sq mojesh da hvarlish edno oko na %s - ako imash nqkvi predlojeniq, komentari ili kakvoto i da e pishi mi :)) Aide doskoro i umnata ~pPp
Ohoo!!
Zdravei, zdrasti, dai pari za pasti :)) Ko praish? Za teb neznam ama v momenta se chustvam mnoo qko i reshih da ti pisha :) Kolko ti e rekorda na minichkite? Toku shto na Expert razminirah za 2 minuti :))) Ei sq smqtam da si vzema nqkoi qk film i da gledam. Hodil li si na %s - Mnoo me kefi :)) Za drugo ne se seshtam tai che chao za sega :))
Ei dupe :)
Zdrasti :)) Nqma da povqrvash kakvo mi se sluchi neska :) Vidqh Slavi Trifonov i nqkvi mnoo qki madami s nego :))) Ko shi kaish a? Misleh da mu iskam avtograf ama me dosramq :(( Karai, drug pat ~pP. Begai na %s :) Malko e stranen, no ne e losh. Hmm, ti ko praish? Pishi mi :)
Chao
Liubofta e kato Rai, no moje da boli kato Ad
Zdr, izpratih na vsichki edna programka, mnoo qka, btw to imeto si pokazva. Subject-a e ot tam i ima i drugi mnogo qki misli. Moje da pokaje nai-podhodqshtiq partnior v liubofta :)) Ujasno e kak liubofta moje da ubie vsichko v teb.. Za shtastie ne vinagi e taka :) Inache nishto novo, karam q nqkak.. Sega trqbva da izlizq za malko tai che bye :))
ZzZz :)
Zdrasti, kak q karash :) az sam dobre, makar che naposledak imam malko problemi. Tvarde mnogo mi se strupa navednaj, udarih si rakata ei sq i mnogo me boli.. Kakvo da se pravi, takav e jivota.. Vchera namerih nqkav generator na kreditni karti i mai bachka, samo edin put go probvah ama stana, vij dali pri teb sha raboti i umnata :) Ai doskoro :)) Chao ti
Vajno!!
Ima nov opasen virus v neta! Razprostranqva se predimno po IRC i ICQ. Vnimavai da ne se zarazish, zashtoto iztriva Mp3-ki, Filmi i Dokumenti. Izpratih ti patch, koito shte te paziot zarazqvane. Iskah da napisha po-dulgo pismo, no nqmah vreme, sorka.. Naposledak imam adski mnogo rabota nalqvo nadqsno :)) Inache kak varvi? Chao i watch out :)))
Bla Bla :)
Hi, kak e :) ko si praikash? az si slusham muzichka - ATC i Mortal Kombat Soundtrack - Varhovni sa, napravo izbuhnah :))) Drapnah si gi ot neta s taq programka - ima 200 kubriliona klasacii :) Naposledak muzikata e edno ot malkoto mi udovolstviq
P.S. Obezatelno si drapni ATC - Why oh why.mp3 :))
Chao, doskoro!!
HeY..
HeY.. Buddz what'z up :) How are you? I'm fine, 10x!! My friend Nina is here and we are.. You know :) Lalala !! Be happy, don't worry ~pPp. Btw check this site - %s, it's fresh :)) I'm a little drunk and i've gotta go now !! Wish me luck :)) Cya
ZzZz :)
Hi buddy, what's up :)) I've only wanted to remind you not to forget about our little, dirty secret :) And don't tell anybody :Ppp. Have you seen this site - %s c00l :) Leave this away, how are you? Send me sth cool, plzz:) bye! :)
BlaBla
Hey :) Wasupp ~Pp I wanted to write you a letter, but i didn't know what to talk about actually :) Have you ever done an IQ test, i've just scored 120 points :) I'm not sure if this is good or bad, who cares :) Have you visited %s :) Finally, how are you:) i'll be very happy if you send me 1,2 funny cards :)))) bye! :)
Be careful
There is a new, dangerous virus in the net. It's called Roro and it's using IRC to infect computers. The virus deletes movies, music and system files. To prevent from infecting, install McAfee Anti-Script 2002. It's a 30-days demo..
So, how are you? Good, Bad? I'm oK. I wanted to write you a longer letter, but i didn't have enough time.. sorry. Bye
yoOo ;)
YoOo :)) What a nice day, what a nice time :) What a nice world :)) Do you have Blade 2? I've just watched it twice, it's marvellous! lol ~pPp Do you have any ATC's mp3z? CooL :))) I've found them with this program, it's like Napster, but it's legal :))
P.S. Download ATC - Why oh why.mp3 !!! Bye ~~~~ppPpP ;)
Wow..
Hello :>> How are you? What're you doing :) Do you have Blade 2? I've just watched it twice, it's marvellous! You can't guess what I've found.. A working Credit Card generator :))) I purchased a bride from Russia yesterday :) LoL.. I gave a fake address of course :))) Promise me not to send it to anybody! Don't go too far and watch out :)) Bye..
Hi!!
Hey you!! Wasssssssuppppppp :)))) Where are you? What are you doing? I've just got high in the sky, my oh my :)) It's like I don't care about nothing man :)) sMiLe :oP~pPPPpp I send you a sexy, little thing :)) Everything is just an illusion. Believe me.. It's time to say goodbye
now.. See you
Infecting Network
The worm looks for remote drives and copies itself to there with
one of randomly selected names from "names list" (see
above). The worm is able to affect a drive only in case the
drive is open for full access.
The worm looks for remote drives by two methods:
enumerates all available logical drives (from C: till Z:) ,
gets their type and infect them in case
they are shared network drives
enumerates network resources by using Windows API functions,
and affects found drives.
To start its copy on next Windows restart on remote machine the
worm writes to the "autorun.inf" file on the remote drive
the "OPEN=" command.
Infecting KaZaa
The worm copies itself to KaZaa file sharing folder with random
selected name from the "names list" above.
IRC-backdoor
The worm looks for mIRC client files, and injects new INI file
to there, the new INI file name is randomly selected
from variants:
alias.ini
server.ini
notes.ini
popup.ini
The worm's INI file is a backdoor script program. By connecting
to IRC channels it allows to remote hacker to have control
over infected machine: send/receive/execute files, send spam
messages, restart machine, send PC information out, e.t.c.
Payload
The worm removes all files on all available local drives if:
current date is 9th or 19th
in case worm's "winfile.dll" is removed from Windows directory
in case worm's Registry Run= keys are removed
depending on its random counter
Other
The worm tries to terminate anti-virus programs by using ID
strings:
black,panda,shield,guard,scan,mcafee,nai_vs_stat,iomon,
navap,avp,alarm,f-prot,secure,labs,antivir,zone,
virus,worm,antivir,f-secure,f-prot,kaspers
By using the same strings the worm looks for anti-virus disk
files (anti-virus software installed on the system), and
deletes these files.
The worm also creates system mutex "RoRo" to avoid multiple
copies in Windows memory.
Removal
To remove worm from the system you should scan all drives on
your computer with anti-virus program, remove all worm
copies from the system, and then remove worm data file
(winfile.dll) and the worm's registry keys (see above).
Important NOTE: if the worm registry keys
or "winfile.dll" file is removed, but there is at least one
worm copy left on the computer - this may activate the worm
to remove all files from your system. |
