I-Worm.Roron

Discussion in 'malware problems & news' started by Technodrome, Nov 6, 2002.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Roro, is an e-mail, P2P (peer-to-peer), IRC and a network worm. F-Secure has receive reports of this worm mostly from Bulgaria. There are alredy six known variant of this worm.

    Roron spreads via the Internet as an attachment to infected emails and via network shared drives and the KaZaa network. The worm also has an IRC-based backdoor.

    The worm itself is a Windows PE EXE file about 120KB in length, written in Microsoft Visual C++.

    Installing

    While installing the worm copies itself to the Windows directory with the "rundll16.exe" name and registers this file in system registry auto-run keys:


    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    LoadCurrentProfile = Rundll16.exe powprof.dll,LoadCurrentUserProfile


    HKCR\exefile\shell\open\command
    %WinDir%\Rundll16.exe "%1" %*


    HKCR\regfile\shell\open\command
    %WinDir%\Rundll16.exe regedit.exe "%1"


    The worm also copies itself to Windows system dir and to "Program Files" dir. To select the destination name the worm gets random file names from victim directories, or directory names, and adds one of random selected extensions:


    98.exe
    16.exe
    32.exe


    For example, worm copies may have following names:


    Program Files\Online Services\Online Service16.exe


    Windows\System\browseui16.exe


    These files are as well registered in the Registry HKLM\...\Run=


    keys and/or in WIN.INI file in the [windows] section in "run=" instruction.

    The worm then may display following fake message:


    WinZip Self-Extractor License Confirmation


    Your version of WinZip Self-Extractor is not licensed, or the
    license information is missing or corrupted. Please contact
    the program vendor or the web site (www.WinZip.com) for
    additional information.

    The worm also creates its data file in Windows directory, and uses it for its internal needs (it stores its variables in there). The file name is winfile.dll

    The worm copies may be found under the following names as well (this list is referred to later as the 'names list'):


    Zip Password Recovery v4.5.exe
    Star Craft 2 Trailer.exe
    WWF!!_The_ROCK(sHOw).exe
    cRedit CarDs gEn v1.2.exe
    WinZip 8.2 (Cracked).exe
    GTA 3 Bonus Cars.exe
    Eminem Desktop.exe
    DMX tHeMe (full).exe
    NFS 5 Bonus Cars.exe
    Counter Strike 1.5 (Editor).exe
    Madonna - My Life (Review).exe
    DivX 5.4 Bundle.exe
    KaZaA Media Desktop v1.8.3.exe
    Win XP key gen 2.1B.exe
    Serials 2002 Update.exe

    Emails

    The infected messages have different Subjects, Bodies and Attached file names (see below).

    The worm activates from infected email only in case a user clicks on attached file. The worm then installs itself to the system, runs spreading routine and payload.

    To send infected messages the worm uses Windows MAPI functions and sends messages to all addresses found in messages from Email boxes.

    Attached file names are selected from the following variants:


    Star Craft 2 Trailer.exe
    WWF_The_ROCK(sHOw).exe
    Sound Factory SFX.exe
    Eminem Desktop.exe
    DMX tHeMe (full).exe
    Love Zodiak.exe
    [TNT]GeN.exe
    Worm Guard.exe
    mTV Charts.exe
    Setup.exe
    mTV Charts.exe


    Subjects and Message bodies are randomly selected from the variants displayed below, where %s is one of the EXE file names listed above. The following text is written in Bulgarian and English.


    Zdrasti..


    Hey, kak varvi, neshto novo ima li :) Adski mi sa spi, daje
    ei sq smqtam da si legna ama purvo shte si vzema edin dush :))


    Skoro shti pratq onva deto obeshtah, za sq mojesh da
    hvarlish edno oko na %s - ako imash nqkvi predlojeniq,
    komentari ili kakvoto i da e pishi mi :)) Aide doskoro i umnata
    ~pPp


    Ohoo!!



    Zdravei, zdrasti, dai pari za pasti :)) Ko praish? Za teb
    neznam ama v momenta se chustvam mnoo qko i reshih da ti
    pisha :) Kolko ti e rekorda na minichkite? Toku shto na
    Expert razminirah za 2 minuti :))) Ei sq smqtam da si vzema
    nqkoi qk film i da gledam. Hodil li si na %s - Mnoo me
    kefi :)) Za drugo ne se seshtam tai che chao za sega :))



    Ei dupe :)


    Zdrasti :)) Nqma da povqrvash kakvo mi se sluchi neska :) Vidqh
    Slavi Trifonov i nqkvi mnoo qki madami s nego :))) Ko
    shi kaish a? Misleh da mu iskam avtograf ama me dosramq :((
    Karai, drug pat ~pP. Begai na %s :) Malko e stranen, no ne e
    losh. Hmm, ti ko praish? Pishi mi :)


    Chao


    Liubofta e kato Rai, no moje da boli kato Ad



    Zdr, izpratih na vsichki edna programka, mnoo qka, btw to imeto
    si pokazva. Subject-a e ot tam i ima i drugi mnogo qki
    misli. Moje da pokaje nai-podhodqshtiq partnior v
    liubofta :)) Ujasno e kak liubofta moje da ubie vsichko v
    teb.. Za shtastie ne vinagi e taka :) Inache nishto novo,
    karam q nqkak.. Sega trqbva da izlizq za malko tai che
    bye :))


    ZzZz :)



    Zdrasti, kak q karash :) az sam dobre, makar che naposledak
    imam malko problemi. Tvarde mnogo mi se strupa navednaj,
    udarih si rakata ei sq i mnogo me boli.. Kakvo da se pravi,
    takav e jivota.. Vchera namerih nqkav generator na
    kreditni karti i mai bachka, samo edin put go probvah ama
    stana, vij dali pri teb sha raboti i umnata :) Ai
    doskoro :)) Chao ti


    Vajno!!



    Ima nov opasen virus v neta! Razprostranqva se predimno po IRC
    i ICQ. Vnimavai da ne se zarazish, zashtoto iztriva Mp3-ki,
    Filmi i Dokumenti. Izpratih ti patch, koito shte te
    paziot zarazqvane. Iskah da napisha po-dulgo pismo, no nqmah
    vreme, sorka.. Naposledak imam adski mnogo rabota
    nalqvo nadqsno :)) Inache kak varvi? Chao i watch out :)))



    Bla Bla :)



    Hi, kak e :) ko si praikash? az si slusham muzichka - ATC i
    Mortal Kombat Soundtrack - Varhovni sa, napravo
    izbuhnah :))) Drapnah si gi ot neta s taq programka - ima
    200 kubriliona klasacii :) Naposledak muzikata e edno ot
    malkoto mi udovolstviq


    P.S. Obezatelno si drapni ATC - Why oh why.mp3 :))


    Chao, doskoro!!



    HeY..



    HeY.. Buddz what'z up :) How are you? I'm fine, 10x!! My friend
    Nina is here and we are.. You know :) Lalala !! Be
    happy, don't worry ~pPp. Btw check this site - %s, it's
    fresh :)) I'm a little drunk and i've gotta go now !! Wish
    me luck :)) Cya


    ZzZz :)



    Hi buddy, what's up :)) I've only wanted to remind you not to
    forget about our little, dirty secret :) And don't tell
    anybody :ppp. Have you seen this site - %s c00l :) Leave
    this away, how are you? Send me sth cool, plzz:) bye! :)



    BlaBla



    Hey :) Wasupp ~Pp I wanted to write you a letter, but i didn't
    know what to talk about actually :) Have you ever done an IQ
    test, i've just scored 120 points :) I'm not sure if this is
    good or bad, who cares :) Have you visited %s :) Finally,
    how are you:) i'll be very happy if you send me 1,2
    funny cards :)))) bye! :)


    Be careful



    There is a new, dangerous virus in the net. It's called Roro
    and it's using IRC to infect computers. The virus deletes
    movies, music and system files. To prevent from
    infecting,
    install McAfee Anti-Script 2002. It's a 30-
    days demo..
    So, how are you? Good, Bad? I'm oK. I wanted to write you a
    longer letter, but i didn't have enough time.. sorry. Bye



    yoOo ;)



    YoOo :)) What a nice day, what a nice time :) What a nice
    world :)) Do you have Blade 2? I've just watched it twice,
    it's marvellous! lol ~pPp Do you have any ATC's mp3z?
    CooL :))) I've found them with this program, it's like
    Napster, but it's legal :))
    P.S. Download ATC - Why oh why.mp3 !!! Bye ~~~~ppPpP ;)



    Wow..



    Hello :>> How are you? What're you doing :) Do you have Blade
    2? I've just watched it twice, it's marvellous! You can't
    guess what I've found.. A working Credit Card generator :)))
    I purchased a bride from Russia yesterday :) LoL.. I gave a fake
    address of course :))) Promise me not to send it to
    anybody! Don't go too far and watch out :)) Bye..



    Hi!!



    Hey you!! Wasssssssuppppppp :)))) Where are you? What are you
    doing? I've just got high in the sky, my oh my :)) It's like
    I don't care about nothing man :)) sMiLe :eek:P~pPPPpp I send
    you a sexy, little thing :)) Everything is just an illusion.
    Believe me.. It's time to say goodbye


    now.. See you

    Infecting Network

    The worm looks for remote drives and copies itself to there with one of randomly selected names from "names list" (see above). The worm is able to affect a drive only in case the drive is open for full access.

    The worm looks for remote drives by two methods: enumerates all available logical drives (from C: till Z:) , gets their type and infect them in case they are shared network drives enumerates network resources by using Windows API functions, and affects found drives.

    To start its copy on next Windows restart on remote machine the worm writes to the "autorun.inf" file on the remove drive the "OPEN=" command.

    Infecting KaZaa

    The worm copies itself to KaZaa file sharing folder with random selected name from the "names list" above.

    IRC-backdoor

    The worm looks for mIRC client files, and injects new INI file to there, the new INI file name is randomly selected from variants:


    alias.ini
    server.ini
    notes.ini
    popup.ini


    The worm's INI file is a backdoor script program. By connecting to IRC channels it allows to remote hacker to have control over infected machine: send/receive/execute files, send spam messages, restart machine, send PC information out, e.t.c.

    Payload

    The worm removes all files on all available local drives if: current date is 9th or 19th in case worm's "winfile.dll" is removed from Windows directory in case worm's Registry Run= keys are removed depending on its random counter

    Other

    The worm tries to terminate anti-virus programs by using ID strings:


    black,panda,shield,guard,scan,mcafee,nai_vs_stat,iomon,
    navap,avp,alarm,f-prot,secure,labs,antivir,zone,
    virus,worm,antivir,f-secure,f-prot,kaspers

    By using the same strings the worm looks for anti-virus disk files (anti-virus software installed on the system), and deletes these files.

    The worm also creates system mutex "RoRo" to avoid multiple copies in Windows memory.

    Removal

    To remove worm from the system you should scan all drives on your computer with anti-virus program, remove all worm copies from the system, and then remove worm data file (winfile.dll) and the worm's registry keys (see above).

    Important NOTE: if the worm registry keys or "winfile.dll" file is removed, but there is at least one worm copy left on the computer - this may activate the worm to remove all files from your system.

    http://www.f-secure.com


    Technodrome
     
  2. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Heehee, Technodrome -- I just posted about this at Gladiator Forums and had come here to Wilders to post, but I see you beat me to it :D :

    posted at dslreports by Motumbo:

    Red Alert: I-Worm.Roron ITW !!
    http://www.dslreports.com/forum/remark,4937613~root=security,1~mode=flat

    posted at Gladiator Forums by me:

    I-Worm.Roron.12
    http://forum.gladiator-antivirus.com//index.php?s=42b58fc4d7b71aad6c30c69a35d13141&act=ST&f=5&t=324&st=0&#entry1601

    Kaspersky References:

    http://www.viruslist.com/eng/index.html?tnews=1001&id=57826
    http://www.viruslist.com/eng/viruslist.html?id=57811
     
  3. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    How about a rain check? :D


    Technodrome
     
  4. FanJ

    FanJ Guest

    Name: W32/Oror-Fam
    Aliases: I-Worm.Roron, I-Worm.Roron.12, I-Worm.Roron.25,
    I-Worm.Roron.31, I-Worm.Roron.35, I-Worm.Roron.37,
    I-Worm.Roron.39
    Type: Win32 worm
    Date: 7 November 2002


    Note: At the time of writing Sophos has received no reports from
    users affected by these worms. However, we have issued this
    advisory following enquiries to our support department from
    customers.

    Description
    W32/Oror-Fam is a family of worms, all of which are very similar to W32/Oror-B. Like W32/Oror-B, these worms can spread in an number of ways, including sending themselves out by email, copying themselves to shared drives in networks, and placing copies of themselves in folders likely to be shared via the KaZaA peer-to-peer system.

    The W32/Oror family of worms create two data files in the Windows folder which contain information used by the worms while they are running. These data files have innocent-looking names, incorporating the first few letters of the computer name forwards and backwards. These files have normal-looking extensions, including .DEF, .VXD and .SYS. Example of the names of thse data files on a computer named VICTIM might be:


    dosvictim32.vxd niwmitciv98.sys
    If these files are removed whilst the worms are active, the worms immediately begin deleting all files on the computer.

    You can find additional details about the W32/Oror family of worms by looking at the analysis of W32/Oror-B.


    More information about W32/Oror-Fam can be found at
    http://www.sophos.com/virusinfo/analyses/w32ororfam.html



    More information about W32/Oror-B can be found at
    http://www.sophos.com/virusinfo/analyses/w32ororb.html
     
  5. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    You know whats really amazing? As I was reading thru the test of the messages it sends in propogation, it was just like reading a thousand other worm messages. They are so bogus, I find it incredible that people keep clicking on those things. It does not take a mental giant to see that these messages are not what one gets from friends and family.
    I'm setting here shaking my head in wonder, thinking worms like this should never go anywhere. What does it take to get people to stop clicking, clicking, clicking..........
    Probably the same people that voted in the last elections here. :rolleyes:
     
  6. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Curiosity is the worst enemy!!!


    Technodrome
     
Loading...
Thread Status:
Not open for further replies.