I-Worm.Roron.12
Roron is a worm virus spreading via
the Internet as an attachment to infected emails via network shared drives
and the KaZaa network. The worm also has an IRC-based backdoor.
The worm itself is a Windows PE EXE file about 120KB in length, written in Microsoft Visual C++.
Installing
While installing the worm copies itself to the Windows directory
with the "rundll16.exe" name and registers this file in system registry
auto-run keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LoadCurrentProfile = Rundll16.exe powprof.dll,LoadCurrentUserProfile
HKCR\exefile\shell\open\command
%WinDir%\Rundll16.exe "%1" %*
HKCR\regfile\shell\open\command
%WinDir%\Rundll16.exe regedit.exe "%1"
The worm also copies itself to Windows system dir and to "Program
Files" dir. To select the destination name the
worm gets random file names from victim directories, or directory
names, and adds one of random selected
extensions:
98.exe
16.exe
32.exe
For example, worm copies may have following names:
Program Files\Online Services\Online Service16.exe
Windows\System\browseui16.exe
These files are as also registered in the Registry HKLM\...\Run=
keys and/or in WIN.INI file in the [windows]
section in "run=" instruction.
The worm then may display the following fake message:
WinZip Self-Extractor License Confirmation
Your version of WinZip Self-Extractor is not licensed, or the license information is missing or corrupted. Please contact the program vendor or the web site (www.WinZip.com) for additional information.
The worm also creates its data file in Windows directory, and uses
it for its internal needs (it stores its variables in
there). The file name is:
"winfile.dll"
The worm copies may be found under the following names as well (this
list is referred to later as the 'names list'):
Zip Password Recovery v4.5.exe
Star Craft 2 Trailer.exe
WWF!!_The_ROCK(sHOw).exe
cRedit CarDs gEn v1.2.exe
WinZip 8.2 (Cracked).exe
GTA 3 Bonus Cars.exe
Eminem Desktop.exe
DMX tHeMe (full).exe
NFS 5 Bonus Cars.exe
Counter Strike 1.5 (Editor).exe
Madonna - My Life (Review).exe
DivX 5.4 Bundle.exe
KaZaA Media Desktop v1.8.3.exe
Win XP key gen 2.1B.exe
Serials 2002 Update.exe
Emails
The infected messages have different Subjects, Bodies and Attached file names (see below).
The worm activates from infected email only in case a user clicks
on attached file. The worm then installs itself to
the system and runs the spreading routine and payload.
To send infected messages the worm uses Windows MAPI functions and sends messages to all addresses found in messages from Email boxes.
Attached file names are selected from the following variants:
Star Craft 2 Trailer.exe
WWF_The_ROCK(sHOw).exe
Sound Factory SFX.exe
Eminem Desktop.exe
DMX tHeMe (full).exe
Love Zodiak.exe
[TNT]GeN.exe
Worm Guard.exe
mTV Charts.exe
Setup.exe
mTV Charts.exe
Subjects and Message bodies are randomly selected from the variants
displayed below, where %s is one of the EXE file names listed above. The
following text is written in Bulgarian and English.
Zdrasti..
Hey, kak varvi, neshto novo ima li :) Adski mi sa spi, daje ei sq smqtam da si legna ama purvo shte si vzema edin dush :)) Skoro shti pratq onva deto obeshtah, za sq mojesh da hvarlish edno oko na %s - ako imash nqkvi predlojeniq, komentari ili kakvoto i da e pishi mi :)) Aide doskoro i umnata ~pPp
Ohoo!!
Zdravei, zdrasti, dai pari za pasti :)) Ko praish? Za teb neznam ama v momenta se chustvam mnoo qko i reshih da ti pisha :) Kolko ti e rekorda na minichkite? Toku shto na Expert razminirah za 2 minuti :))) Ei sq smqtam da si vzema nqkoi qk film i da gledam. Hodil li si na %s - Mnoo me kefi :)) Za drugo ne se seshtam tai che chao za sega :))
Ei dupe :)
Zdrasti :)) Nqma da povqrvash kakvo mi se sluchi neska :) Vidqh
Slavi Trifonov i nqkvi mnoo qki madami s nego :))) Ko shi kaish a? Misleh
da mu iskam avtograf ama me dosramq :(( Karai, drug pat ~pP. Begai na %s
:) Malko e stranen, no ne e losh. Hmm, ti ko praish? Pishi mi :)
Chao
Liubofta e kato Rai, no moje da boli kato Ad
Zdr, izpratih na vsichki edna programka, mnoo qka, btw to imeto si pokazva. Subject-a e ot tam i ima i drugi mnogo qki misli. Moje da pokaje nai-podhodqshtiq partnior v liubofta :)) Ujasno e kak liubofta moje da ubie vsichko v teb.. Za shtastie ne vinagi e taka :) Inache nishto novo, karam q nqkak.. Sega trqbva da izlizq za malko tai che bye :))
ZzZz :)
Zdrasti, kak q karash :) az sam dobre, makar che naposledak imam malko problemi. Tvarde mnogo mi se strupa navednaj, udarih si rakata ei sq i mnogo me boli.. Kakvo da se pravi, takav e jivota.. Vchera namerih nqkav generator na kreditni karti i mai bachka, samo edin put go probvah ama stana, vij dali pri teb sha raboti i umnata :) Ai doskoro :)) Chao ti
Vajno!!
Ima nov opasen virus v neta! Razprostranqva se predimno po IRC i ICQ. Vnimavai da ne se zarazish, zashtoto iztriva Mp3-ki, Filmi i Dokumenti. Izpratih ti patch, koito shte te paziot zarazqvane. Iskah da napisha po-dulgo pismo, no nqmah vreme, sorka.. Naposledak imam adski mnogo rabota nalqvo nadqsno :)) Inache kak varvi? Chao i watch out :)))
Bla Bla :)
Hi, kak e :) ko si praikash? az si slusham muzichka - ATC i
Mortal Kombat Soundtrack - Varhovni sa, napravo izbuhnah :))) Drapnah si
gi ot neta s taq programka - ima 200 kubriliona klasacii :) Naposledak
muzikata e edno ot malkoto mi udovolstviq
P.S. Obezatelno si drapni ATC - Why oh why.mp3 :))
Chao, doskoro!!
HeY..
HeY.. Buddz what'z up :) How are you? I'm fine, 10x!! My friend Nina is here and we are.. You know :) Lalala !! Be happy, don't worry ~pPp. Btw check this site - %s, it's fresh :)) I'm a little drunk and i've gotta go now !! Wish me luck :)) Cya
ZzZz :)
Hi buddy, what's up :)) I've only wanted to remind you not to forget about our little, dirty secret :) And don't tell anybody :Ppp. Have you seen this site - %s c00l :) Leave this away, how are you? Send me sth cool, plzz:) bye! :)
BlaBla
Hey :) Wasupp ~Pp I wanted to write you a letter, but i didn't know what to talk about actually :) Have you ever done an IQ test, i've just scored 120 points :) I'm not sure if this is good or bad, who cares :) Have you visited %s :) Finally, how are you:) i'll be very happy if you send me 1,2 funny cards :)))) bye! :)
Be careful
There is a new, dangerous virus in the net. It's called Roro
and it's using IRC to infect computers. The virus deletes movies, music
and system files. To prevent from infecting, install McAfee Anti-Script
2002. It's a 30-days demo..
So, how are you? Good, Bad? I'm oK. I wanted to write you
a longer letter, but i didn't have enough time.. sorry. Bye
yoOo ;)
YoOo :)) What a nice day, what a nice time :) What a nice world
:)) Do you have Blade 2? I've just watched it twice, it's marvellous! lol
~pPp Do you have any ATC's mp3z? CooL :))) I've found them with this program,
it's like Napster, but it's legal :))
P.S. Download ATC - Why oh why.mp3 !!! Bye ~~~~ppPpP ;)
Wow..
Hello :>> How are you? What're you doing :) Do you have Blade 2? I've just watched it twice, it's marvellous! You can't guess what I've found.. A working Credit Card generator :))) I purchased a bride from Russia yesterday :) LoL.. I gave a fake address of course :))) Promise me not to send it to anybody! Don't go too far and watch out :)) Bye..
Hi!!
Hey you!! Wasssssssuppppppp :)))) Where are you? What are you
doing? I've just got high in the sky, my oh my :)) It's like I don't care
about nothing man :)) sMiLe :oP~pPPPpp I send you a sexy, little thing
:)) Everything is just an illusion. Believe me.. It's time to say goodbye
now.. See you
Infecting Network
The worm looks for remote drives and copies itself to there with
one of randomly selected names from "names list" (see above). The worm
is able to affect a drive only in case the drive is open for full access.
The worm looks for remote drives by two methods:
enumerates all available logical drives (from C: till Z:) , gets
their type and infect them in case they are shared network drives enumerates
network resources by using Windows API functions, and affects found drives.
To start its copy on next Windows restart on remote machine the
worm writes to the "autorun.inf" file on the remove drive the "OPEN=" command.
Infecting KaZaa
The worm copies itself to KaZaa file sharing folder with a random selected name from the "names list" above.
IRC-backdoor
The worm looks for mIRC client files, and injects new INI file to
them, the new INI file name is randomly selected
from these variants:
alias.ini
server.ini
notes.ini
popup.ini
The worm's INI file is a backdoor script program. By connecting to IRC channels it allows to remote hacker to have control over the infected machine: send/receive/execute files, send spam messages, restart machine, send PC information out, etc.
Payload
The worm removes all files on all available local drives if:
current date is 9th or 19th
in case worm's "winfile.dll" is removed from Windows directory
in case worm's Registry Run= keys are removed
depending on its random counter
Other
The worm tries to terminate anti-virus programs by using ID
strings:
black,panda,shield,guard,scan,mcafee,nai_vs_stat,iomon, navap,avp,alarm,f-prot,secure,labs,antivir,zone,
virus,worm,antivir,f-secure,f-prot,kaspers
By using the same strings the worm looks for anti-virus disk files
(anti-virus software installed on the system), and
deletes these files.
The worm also creates system mutex "RoRo" to avoid multiple copies
in Windows memory.
Removal
To remove the worm from the system you should scan all drives on
your computer with anti-virus program, remove all worm copies from the
system, and then remove worm data file (winfile.dll) and the worm's registry
keys (see above).
IMPORTANT NOTE: if the worm registry
keys or "winfile.dll" file is removed, but there is at least one
worm copy left on the computer - this may activate the worm to remove
all files from your system.
We thank you ALL for your kind votes which made this site FIRST in two categories.
A 10 vote = Very Good
A 1 vote = Waste of cyber Space !
ALL those sending emails of thanks are kindly requested to indicate whether these are for publication.
IMPORTANT NOTICE:
ALL those who are receiving this advise
and in the "name" field they find 'FAILED' and a 6 or 8 digit figure
after it, should be advised that at least once, emails to that address
have been received back by us. As the list of subscribers now exceeds 100,000, and since this
is a free service, we kindly urge you to become a registered
subscriber to this service and ensure delivery by subscribing under
a reliable email address. WE REGRET THAT AS AFTER THIS ISSUE,
ALL ADDRESSES THAT ARE NOT DELIVERABLE WILL BE REMOVED FROM THE LIST.
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind. In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits
or special damages.
PLEASE ADVISE ALL YOUR FRIENDS ON YOUR LIST
PLEASE ALSO NOTE THE FOLLOWING:
1) You are currently SUBSCRIBED to our mailing list
2) If you are receiving more than one copy of this warning please click here
3) If you DO NOT wish to receive anymore of these alerts, please click here
4) YOUR friends are also welcome to be on the VIRUS ALERT but an email has to be
sent to the Webmaster by themselves so that a record of all requests can be kept in case
somebody cries "SPAM" ! Simply click here
and send the email as it appears.
5) THIS IS A FREE SERVICE RUN IN THE PUBLIC INTEREST BY
6) ALSO PLEASE BE ADVISED THAT YOUR EMAIL WILL
NEVER BE SOLD, EXCHANGED OR IN ANYWAY WHATSOEVER DISCLOSED TO ANYBODY ELSE.
******
Fabian Brincat
Webmaster
Fabian Enterprises Ltd.
SEE PREVIOUS VIRUS ALERT
RETURN TO VIRUS ALERT MAIN INDEX
©ALL MATERIAL IS PROTECTED BY COPYRIGHT LAWS AND MAY NOT BE REPRODUCED IN ANY FORM WHATSOEVER WITHOUT THE PRIOR WRITTEN CONSENT OF THE WEBMASTER.
071102/161202/100904/051004
