Roro worm version 5.1 (according to internal numbers) appeared in the beginning of 2003. We first got a sample of this worm from France. The worm version 5.1 has similar functionalities as the Roro.P (version 4.1) worm. The description of Roro.P worm can be found here:
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
However there are a few differences in version 5.1 comparing to version 4.1 of Roro worm:
1. The worm now displays one of its four fake error messages when its file is started for the first time:
WinZip Self-Extractor License Confirmation Your version of WinZip Self-Extractor is not licensed, or the license information is missing or corrupted. Please contact the program vendor or the web site (www.WinZip.com) for additional information.
Windows Cannot open file: it does not appear to be a valid program If you downloaded this file, try downloading file again.
Error Starting Program The <file_name> file expects a newer version of Windows. Upgrade your Windows version.
Windows <file_name> is not a valid Win32 application.
where the <file_name> represents the name of the file where the worm started from.
2. The new worm variant has several additional message templates that it uses to send itself from an infected system:
Preotkrii sebe si
Zdravei, ako si poluchil tova pismo znachi nqkoi priqtel ti go e pratil. Celta na pismoto e da ti pomogne da razberesh koi si vsushnost. Originalnata ideq e na Dalai Lama i tova e nein interaktiven variant. Predi da otvorite test-a si namislete edno jelanie, otgovorete na 5-te vuprosa i sled kato poluchite jelanite otgovori shte poluchite edno chislo. Za da vi se izpulni jelanieto trqbva da pratite tova pismo na tolkova priqteli. Testa se pravi samo vednuj, poneje sled tova nqma da poluchite obektivna ocenka. "Za da navlezem v sveta na drugite, purvo trqbva da budem nqsno sys sebe si" - Dalai Lama. P.S. Tozi test e samo za lichna upotreba, i ne biva da bude izpolzvan za kakvito i da bili komersialni celi.
Explore your soul
Hello, if you are reading this letter, it means that a friend of yours has sent it to you. The idea is to help you realize who you are indeed. This is an interactive variant, based on the original tests of Dhalai Lama, a great indian philosopher. Before you open the test, you should make a wish. Answer to the 5 questions honestly, after that you will recieve a number. If you want your wish to come true you must send this letter to that count of your friends. You can make the test only once, because after that the results won't be real. "If you want to enter the other's world, you should explore your soul first" - Dhalai Lama. P.S. This test is for personal use only, and should not be used with commercial purposes.
MiamiGirls.com Free Subscription_
On the occasion of it's 3th anniversary MiamiGirls.com wants to offer you even more pleasure than before. There are several new promotions and if you are interested you can watch the free demo and subsequently contact our web page. If you join now, the first month of your membership will be free. Thousands of hot teen pics and videos are available for you. Image Galleries, Cumshots, LiveCams, Hot Video Chat, Erotic Stories, XXX Lessons, Kama Sutra, Celebrities.. We provide the best services for our members. This site contains adult material that is unsuitable for those under the age of 18. ------------------------ www.MiamiGirls.com
Additionally the Yahoo! Games-related message is now sent with 'Yahoo!Baseball.scr' attachment. Also the Yahoo! Greeting-related message is sent with 'Yahoo!Winter.scr' attachment.
3. The worm can compose fake e-mail addresses from the following parts that are hardcoded in its body:
hotmail.com yahoo.com mail.com yahoo.co.uk usa.net europe.com aol.com blue16 tweety alice jane17 badboy rap_girl CrazyGirl happy amanda crazy mickey lady_f alex15 sunny dave panda_f dreamy candy_f bryan16 jerry baby_17 neo trish1 linda17 monica nicole angel_f mellany iguana17 blade badgirl wizzard
4. The worm now uses both EXE and SCR extensions for its files when it spreads. The SCR extension is first used in version 5.1 of the worm.
5. The worm can send out files that have the following strings in their names:
game data program egg credits quote fax read help bot script perl cgi cpp vbs js htm yahoo aol mail ebay spoof login user pass account charge billing payment cc- cc's visa credit kreditkarte cardnumber cardtype address expir cvv2
6. The worm has a bit different payload. It can detele all files from the Desktop or 'My Documents' folder. Also it can delete files with the following extensions:
txt wri doc
ods mmf nch mbx eml tbb dbx wab
Also, like in version 4.1, the worm can delete all files from a hard drive when its main configuration files are deleted from Windows System folder or its Registry keys are removed from the Registry more than 2-3 times.
7. The worm avoids to send messages to e-mail addresses containing strings from the following lists:
faq join download daemon list sub news mailer user serv anyone you@ me@ info secur corp sales microsoft msdn mcafee panda norton bullguard kaspersky safe admin master support help inc
8. When spreading in local network, the worm tries to locates folders with the following names on shared resources:
WINDOWS WIN WIN95 WIN98 WINME DIR
If such folder is located, the worm copies itself to that folder and modifies WIN.INI file there. This is done to infect remote Windows 9x computers. Infection will, however, happen when a remote computer is restarted.
9. The worm can keep its configuration and dropper files in Windows root folder now. In version 4.1 configuration files were stored in Windows System folder.
Detection and disinfection
F-Secure Anti-Virus detects Roro.51 worm with the latest updates. Disinfection of the worm can't be performed by FSAV as Roro kills F-Secure Anti-Virus tasks and removes its files.
F-Secure provides the special tool to disinfect several Roron worm variants. The tool can be downloaded from our ftp site:
IMPORTANT: Please read the supplied Readme.txt file carefully before using the disinfection tool. You can also read the Readme.txt file if you click on this link:
Technical Details: Alexey Podrezov; F-Secure Copr.; January 30th, 2003