Classification

Category :

Malware

Type :

-

Aliases :

Roron.51, I-Worm.Roron.51, Roro, Roron, Oror, W32/Roro.AA@mm

Summary

Roro worm version 5.1 (according to internal numbers) appeared in the beginning of 2003. We first got a sample of this worm from France. The worm version 5.1 has similar functionalities as the Roro.P (version 4.1) worm. The description of Roro.P worm can be found here:

https://www.europe.f-secure.com/v-descs/roro_p.shtml

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

However there are a few differences in version 5.1 comparing to version 4.1 of Roro worm:

1. The worm now displays one of its four fake error messages when its file is started for the first time:

WinZip Self-Extractor License Confirmation
Your version of WinZip Self-Extractor is not licensed, or the license information is missing or corrupted.
Please contact the program vendor or the web site (www.WinZip.com) for additional information.

or

Windows
Cannot open file: it does not appear to be a valid program
If you downloaded this file, try downloading file again.

or

Error Starting Program  The  file expects a newer version of Windows.  Upgrade your Windows version.  

or

Windows   is not a valid Win32 application.  

where the <file_name> represents the name of the file where the worm started from.

2. The new worm variant has several additional message templates that it uses to send itself from an infected system:

From:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Subject:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Body:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Attachment:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

or:

From:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Subject:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Body:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Attachment:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

or:

From:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Subject:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Body:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Attachment:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Additionally the Yahoo! Games-related message is now sent with 'Yahoo!Baseball.scr' attachment. Also the Yahoo! Greeting-related message is sent with 'Yahoo!Winter.scr' attachment.

3. The worm can compose fake email addresses from the following parts that are hardcoded in its body:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

4. The worm now uses both EXE and SCR extensions for its files when it spreads. The SCR extension is first used in version 5.1 of the worm.

5. The worm can send out files that have the following strings in their names:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

6. The worm has a bit different payload. It can detele all files from the Desktop or 'My Documents' folder. Also it can delete files with the following extensions:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

or

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Also, like in version 4.1, the worm can delete all files from a hard drive when its main configuration files are deleted from Windows System folder or its Registry keys are removed from the Registry more than 2-3 times.

7. The worm avoids to send messages to email addresses containing strings from the following lists:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

8. When spreading in local network, the worm tries to locates folders with the following names on shared resources:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

If such folder is located, the worm copies itself to that folder and modifies WIN.INI file there. This is done to infect remote Windows 9x computers. Infection will, however, happen when a remote computer is restarted.

9. The worm can keep its configuration and dropper files in Windows root folder now. In version 4.1 configuration files were stored in Windows System folder.

Detection and disinfection

F-Secure Anti-Virus detects Roro.51 worm with the latest updates. Disinfection of the worm can't be performed by FSAV as Roro kills F-Secure Anti-Virus tasks and removes its files.

F-Secure provides the special tool to disinfect several Roron worm variants. The tool can be downloaded from our ftp site:

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-roron.zip

IMPORTANT: Please read the supplied Readme.txt file carefully before using the disinfection tool. You can also read the Readme.txt file if you click on this link:

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-roron.txt