W32.HLLW.Oror@mm

Discussion in 'malware problems & news' started by Technodrome, Aug 30, 2002.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    W32/Oror-A arrives in an email with one of the following pairs of subject line and message text:

    Subject line: Zdrasti..
    Message text: Hey, kak , ujas mi e toplo daji smqtam ei sq da si farlq edin dush che ne sa disha :) Skoro shti pratq onva det obeshtah, za sq mojesh da hvarlish edno oko na

    Subject line: Ohoo!!
    Message text: Yoo, kak e havata, v momenta se 4ustvam mnoo qko i reshih da pisha na priqtelite :) nabarah edin mnoo zdrav site, %s - Cool a? Aide chakam otgovor :)

    Subject line: Pisamce
    Message text: Neska mi se slu4iha kup neshta :) Oshte ot sutrinta adski mi varvi, shte vzema da pusna edin fish ~~P V takova dobro nastroenie sam 4e reshih da vi pisha. Pri teb kak e, Neshto novo ima li? Osven vsi4ko ti pratih i iznenadka, sled kato q instalirash si vij shti sa poqvi mnoo qka madama v Tray-a :) I naposledak poshtata mi stoi tajno prazna tai che ... :)) Doskoro

    Subject line: Liubofta e kato Rai, no moje da boli kato Ad
    Message text: Zdr, izpratih na vsichki edna programka, mnoo qka, btw to imeto si pokazva. Subject-a e ot tam i ima i drugi mnogo qki misli. Moje da pokaje nai-podhodqshtiq partnior v liubofta :)) Ujasno e kak liubofta moje da ubie vsichko v teb.. Za shtastie ne vinagi e taka :) Bye !!

    Subject line: TinKi WinKy
    Message text: Zdrasti, trqq da proveda edin razgovor s dosta hora, ama shi vidim koga sha stane tova, naistina imam da kazvam mnogo neshta .. Ako imash i ti neshto da mi kazvash, ne se kolebai, a napishi edno pisamce. Vqrvai v me4tite si i gledai napred :))' P.S. Pogledni attachmenta i vij dali shti dopadne :)) Kefi li te? Az mnoo mu sa radvah ;)) Bye

    Subject line: HeY :)
    Message text: Tiriritam tiriram :)) zDraVeI, neshto novo?? :) Kak varvi lqtoto? Plaj, basein, kuponi :) Beshe mi skuchno i si vikam shto da ne napisha nqkoi drugo pismo :> Kakvoto i da stava da jivee lqtoto i nie pokrai nego ~~~PpPpPp. Vij iznendkata ~pP Aide i chakam..

    Subject line: ZzZz :)
    Message text: Zdrasti, kak q karash :) az sam dobre, makar che naposledak imam malko problemi. Tvarde mnogo mi se strupa navednaj, mai i rakata mi e s4upena.. Kvo da se pravi, takav e jivota.. Vchera namerih nqkav generator na kreditni karti i mai bachka, samo edin go probvah ama stana, vij dali pri teb sha raboti i umnata :) I ne zabravqi che "Liuboftaa e po cennaa ot vsi4ko" :)) Chao ti

    Subject line: Vajno!!
    Message text: Ima nov opasen virus v neta! Razprostranqva se predimno po IRC i ICQ. Vnimavai da ne se zarazish, zashtoto iztriva Mp3-ki, Filmi i Dokumenti. Izpratih ti patch, koqto shte te zashtiti ot zarazqvane. Iskah da napisha po-dulgo pismo, no nqmah vreme, sorka :( Naposledak imam adski mnogo rabota nalqvo nadqsno :)) Inache kak varvi? Aide doskoro i watch out :)))

    Subject line: Blondinkii:)
    Message text: Namerih edna mnoo qka programka i neznam zashto, no mi napomni za teb :)' Kakvo pravi blondinka kato rodi bliznaci? - Chudi se koi e vtoriq tatko :)' Kakva e razlikata mejdu 10 ovce i 3 blondinki? Otgovor: 7 Kak mojesh da razsmeesh blondinka v petak? - Kato i razkajesh vic vav vtornik :) Zdrasti! kak si :) Kefqt li ta vicovete? Shegichka de :) Pratih ti q. Razkazva ti qki vicove za blondinki na 5 minuti :) Posmqh se za baq vreme napred :))) Bye, doskoro, i po chesto v chata, chao :)

    Subject line: Hi BaBy :)
    Message text: Hi baby, kak e :) ko si praikash? az si slusham muzichka - ATC i Mortal Kombat Soundtrack - Varhovni sa, napravo izbuhnah :))) Drapnah si gi ot neta s taq programka - ima 200 kubriliona klasacii :) Naposledak muzikata e edno ot malkoto mi udovolstviq
    P.S. Obezatelno si drapni ATC - Why oh why.mp3 :))
    Chao, doskoro!!

    Subject line: HeY..
    Message text: HeY.. Buddz what'z up :) How are you? I'm fine, 10x!! My friend Nina is here and we are.. You know :) Lalala !! I've just wanted to tell you. Btw check this site - %s, it's kewl :)) Cya

    Subject line: aBcDeFgHiJkLmNoPqRsT..
    Message text: Hi, Don't forget about MAL"F" :) And don't tell anybody :ppp have you seen this site? It's very interesting!! :) %s .. Leave this away, how are you? Send me sth cool, plzz :) bye! :)

    Subject line: Don't cry
    Message text: It won't be easy, you think it's strange, when I try to explain how i feel and I still want your love after all I have done. You won't believe me.. I had to let it happen, i had to change.. Hey, just kiddin' :) Madonna - "Don't cry" I've just wanted to .. Infact I don't know nothing i don't want to know anything :))) Do you like the funny program :) I'm waiting for the reply :>> Bye

    Subject line: Very Important
    Message text: There is a very dangerous virus circulating in the net. It's called RoRo and it's using IRC to infect computers. This virus deletes movies, music and corrupt your windows installation. To prevent from infecting, install McAfee Anti-Script 2002. It's a 30-days demo.. So, how are you? Good, Bad? I'm oK. I wanted to write you a longer letter, but i didn't have enough time.. sorry. Bye

    Subject line: Miracle
    Message text: All I need is a miracle, all i need is love.. YeS. That's true i love you my friends :) If you are wondering why I am so happy - i'll tell you - I am enga.. oOps, later..Bye and uhh unzip the attachment. It's the best joke, i've ever seen. Bye, see ya :)

    Subject line: LOVE is like HEAVEN but it can hurt like HELL.
    Message text: I've just found this program, and, I don't know why... but it reminded me of you. I read this there. There are cool ideas, especially about lOvE. i like it, but let's talk about you? Are you oK? Are you in love :))) I'm waiting for the replyyy :)) bye ~pPpP

    Subject line: Blondies Forever :)
    Message text: Hiya :) I've just wannted to send you these jokes
    - What do blondes wear behind their ears to attract men? Their ankles!!
    - Why did god invent the female orgasm? So blondes know when to stop
    screwing!!
    - What's the difference between a blonde and aeroplane? Not everyone's
    been in a aeroplane!
    - What is a blond with hair black colored? Artificial intelligence!
    Blondies forever!! :) Wow, it's raining!! c00l :) Time off, i must go now, but i'll be very happy if you write me soon :) Bye bye :))

    Subject line: Hi!!
    Message text: Hi baby :)) Whatz Uppp :)) I'm feelin extra power cause i got high in the sky :) sMiLe :eek:P~pPPPpp Where are you? What are you doing? I send you a c00l flAsh :) See you soon :)) Bye Bye

    Subject line: WoWoWoWOWowo..
    Message text: Hi again.. You can't guess what i've found.. Finally i've found a working Credit Card generator!! I'm the richest man in the net :)) Don't tell or send it to anybody! How are you? What're you doing?

    Subject line: yoOo
    Message text: YoOo :)) What a nice day, what a nice time :) What a nice world :)) Do you have any ATC's mp3z? eXtreemly cool :) I've found them with this program, it's like Napster, but it's legal :)) P.S. Download ATC - Why oh why.mp3 !!! Bye ~~~~ppPpP :)

    The attached file has one of the following filenames:

    Love Zodiak.exe
    Sorry.exe
    [TNT]!CC geN.exe
    Osama Your Mamma.exe
    Setup.exe
    mTV Charts.exe
    Blondies.exe
    TNT!CC gEN.exe
    Magic.exe
    Love.exe
    Zodiak.exe
    mTV.exe
    Faith.exe
    Kama Sutra.exe
    Fun.exe
    Smile.exe
    Pamela.exe
    Candy.exe

    When first executed the worm displays a fake error message that reads

    Your version of WinZip Self-Extractor is not licensed, or the license information is missing or corrupted. Please contact the program vendor or the web site (www.WinZip.com) for additional information.

    The worm will attempt to copy itself to folders on local and shared drives using any of the following filenames:

    Kama Sutra.exe
    GiRlZ FoReVeR (Wow).exe
    Nikita v1.1 (Zip).exe
    Pamela Anderson (Porno Installation).exe
    Britney Spears Naked.exe
    Teen Sex Cam.exe
    Kurnikova Screensaver (6+).exe
    CrEdIt CaRdZ gEn.exe
    SeX.eXe
    Faith.exe.

    The worm will always drop a copy of the worm with the filename C:\Windows\Rundll16.exe and add the entry

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadCurrentProfile

    to the registry so that Rundll16.exe is run when Windows starts up.

    The worm randomly choses a single subfolder of the "Program Files" folder and places a copy of the worm in that subfolder. The filename of the new copy will be the name of the sub folder plus "16", "32", or "2K" e.g. Accessories2K.exe. An entry is added to registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run which points to the copy of the worm.

    A file is randomly selected from the Windows system folder and a copy of the worm is created in the system folder with a filename constructed from the name of the randomly selected file plus "16, "32" or "2K". An entry is then added to the file win.ini so that this copy of the worm is run when Windows starts up.

    If the title bar of a window contains any of the following strings then that window will be closed.

    black
    panda
    shield
    scan
    mcafee
    nai_vs_stat
    virus
    iomon
    webcheck
    mstask
    navap
    msie
    agent
    avp
    alarm
    zone
    labs

    The worm will delete files from folders whose names contain the words

    "zone" and "labs"
    kaspers
    mcafee
    panda
    avp
    "pc" and "cillin"
    "black" and "ice"
    "norton" and "virus"

    A large mIRC script will be created in the mirc installation folder with the filename alias.ini, server.ini, notes.ini or popup.ini. This script is an mIRC backdoor Trojan and will be detected as Troj/Faith-A by Sophos Anti-virus.

    Finally the worm will send itself in an email to addresses retrieved from email in the infected user's inbox.

    The worm also creates the following non-viral text files
    C:\Windows\def12x.dll
    C:\Windows\rn3a.vxd
    C:\Windows\Winfile.dll
    C:\shares.txt

    source: http://www.sophos.com



    Technodrome
     
  2. Gladiator

    Gladiator Guest

    If anyone have this worm (no, not active :D) can he send him please to email address deleted - Forum Admin

    That i can update the worm patterns :)

    Greets Gladiator
     
  3. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Gladiator, I hope development is going well for your new product. Competition is a good thing!

    That being said, I have to object to this board being used to ask for viruses or trojans. Not that I don't trust you to use them for goood and not evil, but because it is board policy and it would be wrong to allow it for you but not the others.

    I hope you understand that this is not meant to be an unfriendly response to your new product, but a reminder of the rules we have here for the greater good of all.

    I suggest you supply information regarding malware submission on your site. I am sure the members here can easily get there from your site link in your signature.

    Thank you and good luck!
     
  4. Gladiator

    Gladiator Guest

    i understand and accept this.

    Gladiator :cool:
     
  5. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Thanx, I was just at your site and forum. Things are starting to hum around there. Seen some familiar faces (well usernames anyhow ;) ).
     
  6. Gladiator

    Gladiator Guest

    I know :D

    did i say you can register there for FREE ? hehe :D
    You know that the first user (who is board administrator with an url that starts with W and ends with Y before the dot) will earn a FREE beer for sign in ? hehe :D

    After 2 days bugfixing the online updates its now also working for usa users *sigh*

    There was a dumb Bug in the microsoft system files (OCX) that causes "type mismatch error" but it was only on US Operation Systems...

    At least it works.

    Greets
    Gladiator
     
Thread Status:
Not open for further replies.