|  | ||||||||||||||||||||||||||||||||
Name: W32.HLLW.Oror.B@mm
Aliases: Roron,W32/Oror-Fam,I-Worm.Roron.12 Variants: Type: Internet/Network Worm Platforms: Windows 32-bit Status: in the wild Threat: V-CON 2 (low) The following has been derived from information provided by F-Secure, Sophos, and Symantec. Virus Characteristics W32.HLLW.Oror@mm is a Windows PE EXE file about 120KB in length written in Microsoft Visual C++. It sends itself to all addresses found in incoming email messages. The worm also spreads by using mIRC, network shares, the Kazaa file-sharing network, and mapped drives. It attempts to close windows and delete files of various antivirus and firewall programs. It uses the current default email program to spread itself. The worm can create the email messages randomly, or use a defined set of characteristics as described below. When the worm is executed, it displays the following fake error message: "WinZip Self-Extractor License Confirmation" "Your version of WinZip Self-Extractor is not licensed, or the license information is missing or corrupted. Please contact the program vendor or the web site (www.WinZip.com) for additional information" It copies itself to the following folders using a random file name: - Windows directory (C:\%WINDOWS%) - Windows System directory (C:\%WINDOWS%\%SYSTEM%) - subfolders of the PROGRAM FILES directory - KaZaA directories It adds the following registry key to launch itself at Windows startup and whenever an executable file is opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "LoadCurrentProfile" = "<random file name> powprof.dll,LoadCurrentUserProfile" HKCR\exefile\shell\open\command [default] = " wormname.exe " %1" %* " HKCR\regfile\shell\open\command [default] = Rundll16.exe regedit.exe " %1 " It randomly chooses a file name from the C:\%WINDOWS%\%SYSTEM% folder and copies itself as one of the following: C:\%SYSTEM%\<chosen file name>2k<extension> C:\%SYSTEM%\<chosen file name>16<extension> C:\%SYSTEM%\<chosen file name>32<extension> It inserts the following section into the WIN.INI to execute automatically whenever Windows 95/98/Me is started: [windows] run=C:\%SYSTEM%\<worm filename> The worm randomly chooses a subfolder in the C:\PROGRAM FILES\ directory and copies itself to this subfolder using the subfolder name plus "2K", "16", or "32" as its file name. It then adds a value that refers to this copy to the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run The worm will close any window whose title bar contains any of the following strings: black panda shield scan mcafee labs zone alarm agent avp msie navap mstask webcheck iomon nai_vs_stat The worm also searches and deletes files from any directories and subdirectories which contain any of the following strings: labs and zone kaspers mcafee panda avp pc cillin black and ice norton and virus The worm will overwrite mIRC script files and sends itself to mIRC users. It will install a backdoor Trojan under one of the following names: alias.ini server.ini notes.ini popup.ini The worm infects remote drives by two methods: enumerates all available logical drives (from C: to Z:), and enumerates network resources by using Windows API functions. It modifies the AUTORUN.INF file to launch itself at Windows startup. The following details the numerous examples in which this worm can arrive via email. Random email messages: The subject is constructed from one of these strings: HeY ZzZz Bla Bla HoWie Happy Hi Again Wow Hi Hello Hey Ya Boom Hi There Zdrasti Zdr Otnovo Ohoo Ei dupe Pisamce TinKi WinKy Bla Bla Hey Privet Boom followed by one of these strings: .. !! :) ;)) :pPpP ~pPp :> ! ;) The message body is constructed from one of these strings: Hey, kak varvi, neshto novo ima li :) Adski mi sa spi, daje ei sq smqtam da si legna ama purvo shte si vzema edin dush :)) Skoro shti pratq onva deto obeshtah, za sq mojesh da hvarlish edno oko na %s - ako imash nqkvi predlojeniq, komentari ili kakvoto i da e pishi mi :)) Aide doskoro i umnata ~pPp Zdravei, zdrasti, dai pari za pasti :)) Ko praish? Za teb neznam ama v momenta se chustvam mnoo qko i reshih da ti pisha :) Kolko ti e rekorda na minichkite? Toku shto na Expert razminirah za 2 minuti :))) Ei sq smqtam da si vzema nqkoi qk film i da gledam. Hodil li si na %s - Mnoo me kefi :)) Za drugo ne se seshtam tai che chao za sega :)) Zdrasti :)) Nqma da povqrvash kakvo mi se sluchi neska :) Vidqh Slavi Trifonov i nqkvi mnoo qki madami s nego :))) Ko shi kaish a? Misleh da mu iskam avtograf ama me dosramq :(( Karai, drug pat ~pP. Begai na %s :) Malko e stranen, no ne e losh. Hmm, ti ko praish? Pishi mi :) Liubofta e kato Rai, no moje da boli kato Ad Zdr, izpratih na vsichki edna programka, mnoo qka, btw to imeto si pokazva. Subject-a e ot tam i ima i drugi mnogo qki misli. Moje da pokaje nai-podhodqshtiq partnior v liubofta :)) Ujasno e kak liubofta moje da ubie vsichko v teb.. Za shtastie ne vinagi e taka :) Inache nishto novo, karam q nqkak.. Sega trqbva da izlizq za malko tai che bye :)) Zdrasti, kak q karash :) az sam dobre, makar che naposledak imam malko problemi. Tvarde mnogo mi se strupa navednaj, udarih si rakata ei sq i mnogo me boli.. Kakvo da se pravi, takav e jivota.. Vchera namerih nqkav generator na kreditni karti i mai bachka, samo edin put go probvah ama stana, vij dali pri teb sha raboti i umnata :) Ai doskoro :)) Chao ti Ima nov opasen virus v neta! Razprostranqva se predimno po IRC i ICQ. Vnimavai da ne se zarazish, zashtoto iztriva Mp3-ki, Filmi i Dokumenti. Izpratih ti patch, koito shte te paziot zarazqvane. Iskah da napisha po-dulgo pismo, no nqmah vreme, sorka.. Naposledak imam adski mnogo rabota nalqvo nadqsno :)) Inache kak varvi? Chao i watch out :))) Hi, kak e :) ko si praikash? az si slusham muzichka - ATC i Mortal Kombat Soundtrack - Varhovni sa, napravo izbuhnah :))) Drapnah si gi ot neta s taq programka - ima 200 kubriliona klasacii :) Naposledak muzikata e edno ot malkoto mi udovolstviq P.S. Obezatelno si drapni ATC - Why oh why.mp3 :)) HeY.. Buddz what'z up :) How are you? I'm fine, 10x!! My friend Nina is here and we are.. You know :) Lalala !! Be happy, don't worry ~pPp. Btw check this site - %s, it's fresh :)) I'm a little drunk and i've gotta go now !! Wish me luck :)) Cya Hi buddy, what's up :)) I've only wanted to remind you not to forget about our little, dirty secret :) And don't tell anybody :Ppp. Have you seen this site - %s c00l :) Leave this away, how are you? Send me sth cool, plzz:) bye! :) Hey :) Wasupp ~Pp I wanted to write you a letter, but i didn't know what to talk about actually :) Have you ever done an IQ test, i've just scored 120 points :) I'm not sure if this is good or bad, who cares :) Have you visited %s :) Finally, how are you:) i'll be very happy if you send me 1,2 funny cards :)))) bye! :) Be Careful There is a new, dangerous virus in the net. It's called Roro and it's using IRC to infect computers. The virus deletes movies, music and system files. To prevent from infecting, install McAfee Anti-Script 2002. It's a 30- days demo.. So, how are you? Good, Bad? I'm oK. I wanted to write you a longer letter, but i didn't have enough time.. sorry. Bye YoOo :)) What a nice day, what a nice time :) What a nice world :)) Do you have Blade 2? I've just watched it twice, it's marvellous! lol ~pPp Do you have any ATC's mp3z? CooL :))) I've found them with this program, it's like Napster, but it's legal :)) P.S. Download ATC - Why oh why.mp3 !!! Bye ~~~~ppPpP ;) Hello :>> How are you? What're you doing :) Do you have Blade 2? I've just watched it twice, it's marvellous! You can't guess what I've found.. A working Credit Card generator :))) I purchased a bride from Russia yesterday :) LoL.. I gave a fake address of course :))) Promise me not to send it to anybody! Don't go too far and watch out :)) Bye.. Hey you!! Wasssssssuppppppp :)))) Where are you? What are you doing? I've just got high in the sky, my oh my :)) It's like I don't care about nothing man :)) sMiLe :oP~pPPPpp I send you a sexy, little thing :)) Everything is just an illusion. Believe me.. It's time to say goodbye now.. See you Then, one of the following is added: P.S. Hvarli edno oko na <website constructed by the worm> :)) P.S. Bqgai na <website constructed by the worm> mnoo zdravo flash4e ima :pP P.S. Be happy, don't worry ~pPp. Check this - <website constructed by the worm> Cool :)) P.S. Have you visited <website constructed by the worm> :) Co0l :)) The attachment filename is constructed in one of the following ways: One of the these strings: BoxDave_ PcDudes Pamela 3D_ Kama Sutra LaFemmeNikita Fishfood install_en_ Story017_ Inter012_ Actu002_ Chess followed by one of these: (sHow).EXE 3D.EXE (Eng).EXE 2.3.EXE Or one of the these strings: install_en_ ClubExtreme WWF_The_ROCK EminemDesktop DMX tHeMe Inter012_ Story017_ Gipsy sound_brake_ Elfbowl Goggles snowball_fight_ Chess followed by one of these: 2.1.EXE (zip).EXE (sHow).EXE 3D.EXE _zip.EXE (Eng).EXE _v1.1.EXE Or one of the following strings: PcDudes BritneyUltimate Pamela 3D_ Britney Suxx KamaSutra LaFemmeNikita Teen Sex Cam Lolita Pam Anderson Theme Sexy Teens Desktop SexSpy Anal Explorer VirtualRape Hot Blondies Strip Kournikova followed by one of these: (sHow).EXE 3D.EXE 3.0.EXE (Eng).EXE v4.5.EXE (Rated).EXE Or one of these strings: cRedit_CarDs_gEn MeGa HACK Zip Password Recovery GTA 3 Bonus Cars(part1)_ EminemDesktop DMX tHeMe NFS 5 Bonus Cars_ Counter Strike 1.5 (Editor)_ Madonna Desktop WinZip 8.2_ DivX 5.4 Bundle_ KaZaA Media Desktop v2.0.8_ Serials 2K 7.2 (by SNTeam)_ Serials2002_8.0(17.08.02)_ Dreamweaver_5.0_Patch_ ACDSee WinAmp_3.2_Cool_ Download Accelerator 5.5_ Nero Burning Rom 5.6.0.3_ followed by one of these: 7.1 FULL.EXE v5.5.EXE (zip).EXE 3.0.EXE (Eng).EXE (Cracked).EXE Fixed email messages: Subject: Blondinkii Message Body: Hey :)) Kak q karash? Pomnish li me oshte :)) Nadqvam se che da. Baq vreme ne sme sa chuvali.. Neshto novo ima li? Namerih edna mnoo qka programka i neznam zashto, no mi napomni za teb :)) Kakvo pravi blondinka kato rodi bliznaci? - Chudi se koi e vtoriq tatko :) Kakva e razlikata mejdu 10 ovce i 3 blondinki? Otgovor: 7 Kak mojesh da razsmeesh blondinka v petak? - Kato i razkajesh vic vav vtornik :) Kefqt li ta vicovete? Shegichka de :) Razkazva vicove na 5 minuti :)) Posmqh se za baq vreme napred :pPpP Haide bye za sega, i da pishesh :)) Attachment: Blondies.exe Subject: Yahoo! Games_ Message Body: Yahoo! Team is proud to present our new surprise for clients of Yahoo! and Yahoo! Mail. We plan to send you the best Yahoo! Games weekly.This new service is free and it's a gift for the 5th anniversary of Yahoo!. We hope that you would like it. The whole Yahoo! Team want to express our gratitude to you, the people who help us to improve Yahoo! so much, that it became the most popular worldwide portal. Thank You! We do our best to serve you. ------------- Yahoo! Team. www.Yahoo.com Attachment: Yahoo!Chess.exe Subject: <current user name> sent you a Yahoo! Greeting_ Message Body: Surprise! You've just received a Yahoo! Greeting from "<current user name>" (<current user e-mail address>)! This is an interactive greeting card and requires Flash Media Player. Enjoy! The Yahoo! Greetings Team. ----------------- Yahoo! Greetings is a free service. If you'd like to send someone a Yahoo! Greeting, you can do so at http://greetings.yahoo.com Attachment: Yahoo!Tomcats.exe Subject: Microsoft Bulgaria_ Message Body: Blagodarenie na dulgogodishnite tradicii na Microsoft v Bulgaria i dobrata i suvestna rabota na vsichki neini podchineni, mojem nai-nakraq da pozdravim bulgarskiq potrebitel s prevod na Internet Explorer na bulgarski. Tova e edno uspeshno produljenie na iniciativata za prevejdane na Ms Office 2000 ® na rodniq ni ezik. Update-a e bezplaten i e podaruk po sluchai 10 godishninata na Microsoft v Bulgaria. Nadqvame se bulgarskite potrebiteli da ostanat dovolni, koeto shte bude nai-golemiq podaruk za nas. --------------------- Microsoft, Bulgaria. Attachment: IE_0274_bg.exe Subject: Vajno_ Message Body: Panda Antivirus preduprejdava za nalichieto na nov virus v internet, narechen W32.Roro@mm. Razprostranqva se predimno po IRC i chrez zarazeni internet stranici. Sled zarazqvaneto toi iztriva mp3-ki, filmi i dokumenti. Poradi golemiq broi zarazeni bulgari prez poslednite nqkolko dena, Panda Antivirus zapochna razprostranenieto na patch, koito opravq bug v Internet Explorer 5.5 i minali versii, pozvolqvasht na stranici sas zlovredno sudurjanie da izpulnqvat komandi vurhu posetitelite. Druga nasha preporuka e ako ste veche zarazeni da ne opitvate da mahate virusa ruchno, a samo s antivirusna programa, poneje pri neuspeshen opit za premahvane W32.Roro iztriva razlichni vidove failove na operacionnata sistema. ----------------- Panda Antivirus, Bulgaria. www.Computel.bg Attachment: IE50_032_Setup.exe Subject: WinAmp Team_ Message Body: Hello, WinAmp User. WinAmp Team is proud to present our new surprise for users of WinAmp. WinAmp 3.0 Final has been just released and we believe that it will be the player you've ever dreamed about. We plan to start a new tradition, sending the best skin or add-on to our users every week. This new service is free and we hope that you would like it. Everyone can offer us suggestions. We do our best to serve you. ---------------- WinAmp Team. www.WinAmp.com Attachment: Iguana1.0_skin.exe Subject: Blondes Forever Message Body: Hey, whatz up :)) Where are you? Don't you chat any more? I haven't seen you so long. Read this :)) - What do blondes wear behind their ears to attract men? Their ankles!! - Why did god invent the female orgasm? So blondes know when to stop screwing!! - What is a blond with hair black colored? Artificial intelligence! Blondes forever!! :) Time off, i must go now, but i'll be very happy if you write to me soon :) Bye bye :)) Attachment: Blondes.exe Subject: Virus Alert_ Message Body: McAfee Antivirus warns about a new virus, called W32.Roro@mm. It is a high risk worm and it's using IRC and internet pages to infect computers. The virus deletes movies, music and system files. Due to the significant increase of infected users, Microsoft Corporation, with the collaboration of McAfee Antivirus, supports clients of Microsoft Windows with à patch, which fixes a bug in Internet Explorer 5.5 or minor versions. This bug allows internet pages to grant access to local resources of visitors. ----------------- McAfee Antivirus www.McAfee.com Attachment: IE_0276_Setup.exe Subject: Yahoo! Toolbar_ Message Body: Yahoo! Team is proud to present our new surprise for clients of Yahoo! and Yahoo! Mail. Yahoo! Toolbar is an innovative technology, which helps you to access Yahoo! Services easier than ever. It is free and is a gift for the 5th anniversary of Yahoo!.We hope that you would like it. The whole Yahoo! Team want to express our gratitude to you, the people who help us to improve Yahoo! so much, that it became the most popular worldwide portal. Thank You! We do our best to serve you. ------------- Yahoo! Team. www.Yahoo.com Attachment: Yahoo!Toolbar.exe The worm can copy itself to network shares and mapped drives under one of the following: One of these strings: BoxDave_ PcDudes Pamela 3D_ Kama Sutra LaFemmeNikita Fishfood install_en_ Story017_ Inter012_ Actu002_ Chess followed by: (sHow).EXE 3D.EXE (Eng).EXE 2.3.EXE Or one of these strings: install_en_ ClubExtreme WWF_The_ROCK EminemDesktop DMX tHeMe Inter012_ Story017_ Gipsy sound_brake_ Elfbowl Goggles snowball_fight_ Chess followed by: 2.1.EXE (zip).EXE (sHow).EXE 3D.EXE _zip.EXE (Eng).EXE _v1.1.EXE Or one of these strings: PcDudes BritneyUltimate Pamela 3D_ Britney Suxx KamaSutra LaFemmeNikita Teen Sex Cam Lolita Pam Anderson Theme Sexy Teens Desktop SexSpy Anal Explorer VirtualRape Hot Blondies Strip Kournikova followed by: (sHow).EXE 3D.EXE 3.0.EXE (Eng).EXE v4.5.EXE (Rated).EXE Or one of these strings: cRedit_CarDs_gEn MeGa HACK Zip Password Recovery GTA 3 Bonus Cars(part1)_ EminemDesktop DMX tHeMe NFS 5 Bonus Cars_ Counter Strike 1.5 (Editor)_ Madonna Desktop WinZip 8.2_ DivX 5.4 Bundle_ KaZaA Media Desktop v2.0.8_ Serials 2K 7.2 (by SNTeam)_ Serials2002_8.0(17.08.02)_ Dreamweaver_5.0_Patch_ ACDSee WinAmp_3.2_Cool_ Download Accelerator 5.5_ Nero Burning Rom 5.6.0.3_ followed by: 7.1 FULL.EXE v5.5.EXE (zip).EXE 3.0.EXE (Eng).EXE (Cracked).EXE Payload Mass mails itself to all incoming messages. Modifies registry to launch itself at startup. Deletes system files. Deletes anti-virus and firewall files. Spreads via network shares. Closes certain open windows. Drops a backdoor Trojan. Preventative Measures Block all executable (EXE) attachments at the gateway where possible. Fixes Available Symantec: Virus Definitions (Intelligent Updater) November 6, 2002 Virus Definitions (LiveUpdate) November 6, 2002 < - Virus Information Index - >
| | |||||||||||||||||||||||||
