Summary

Roro worm version 5.1 (according to internal numbers) appeared in the beginning of 2003. We first got a sample of this worm from France. The worm version 5.1 has similar functionalities as the Roro.P (version 4.1) worm. The description of Roro.P worm can be found here:

http://www.europe.f-secure.com/v-descs/roro_p.shtml

Additional Details

However there are a few differences in version 5.1 comparing to version 4.1 of Roro worm:

1. The worm now displays one of its four fake error messages when its file is started for the first time:

 WinZip Self-Extractor License Confirmation

 Your version of WinZip Self-Extractor is not licensed, or the license information is missing or corrupted.
 Please contact the program vendor or the web site (www.WinZip.com) for additional information.

or

 Windows

 Cannot open file: it does not appear to be a valid program
 If you downloaded this file, try downloading file again.

or

 Error Starting Program

 The <file_name> file expects a newer version of Windows.
 Upgrade your Windows version.

or

 Windows

 <file_name> is not a valid Win32 application.

where the <file_name> represents the name of the file where the worm started from.

2. The new worm variant has several additional message templates that it uses to send itself from an infected system:

From:

 greetings@kefche.com

Subject:

 Preotkrii sebe si

Body:

 Zdravei, ako si poluchil tova pismo znachi nqkoi priqtel ti go e
 pratil. Celta na pismoto e da ti pomogne da razberesh koi si
 vsushnost. Originalnata ideq e na Dalai Lama i tova e nein
 interaktiven variant. Predi da otvorite test-a si namislete
 edno jelanie, otgovorete na 5-te vuprosa i sled kato poluchite
 jelanite otgovori shte poluchite edno chislo. Za da vi se izpulni
 jelanieto trqbva da pratite tova pismo na tolkova priqteli. Testa
 se pravi samo vednuj, poneje sled tova nqma da poluchite obektivna
 ocenka.

 "Za da navlezem v sveta na drugite,
 purvo trqbva da budem nqsno sys sebe si" - Dalai Lama.

 P.S. Tozi test e samo za lichna upotreba, i ne biva da bude
 izpolzvan za kakvito i da bili komersialni celi.

Attachment:

 Faith.scr

or:

From:

 greetings@e-cards.com

Subject:

 Explore your soul

Body:

 Hello, if you are reading this letter, it means that a friend
 of yours has sent it to you. The idea is to help you realize who
 you are indeed. This is an interactive variant, based on the
 original tests of Dhalai Lama, a great indian philosopher.
 Before you open the test, you should make a wish. Answer to
 the 5 questions honestly, after that you will recieve a number.
 If you want your wish to come true you must send this letter
 to that count of your friends. You can make the test only
 once, because after that the results won't be real.

 "If you want to enter the other's world,
 you should explore your soul first" - Dhalai Lama.

 P.S. This test is for personal use only, and should not
 be used with commercial purposes.

Attachment:

 Faith.scr

or:

From:

 support@miamigirls.com

Subject:

 MiamiGirls.com Free Subscription_

Body:

 On the occasion of it's 3th anniversary MiamiGirls.com wants
 to offer you even more pleasure than before. There are several
 new promotions and if you are interested you can watch the free
 demo and subsequently contact our web page. If you join now,
 the first month of your membership will be free.

 Thousands of hot teen pics and videos are available for you.
 Image Galleries, Cumshots, LiveCams, Hot Video Chat, Erotic
 Stories, XXX Lessons, Kama Sutra, Celebrities.. We provide
 the best services for our members.

 This site contains adult material that is unsuitable for those
 under the age of 18.

 ------------------------
 www.MiamiGirls.com

Attachment:

 FreeTour.scr

Additionally the Yahoo! Games-related message is now sent with 'Yahoo!Baseball.scr' attachment. Also the Yahoo! Greeting-related message is sent with 'Yahoo!Winter.scr' attachment.

3. The worm can compose fake e-mail addresses from the following parts that are hardcoded in its body:

 hotmail.com yahoo.com mail.com yahoo.co.uk usa.net europe.com aol.com

 blue16 tweety alice jane17 badboy rap_girl CrazyGirl happy amanda crazy mickey lady_f alex15 sunny dave panda_f

 dreamy candy_f bryan16 jerry baby_17 neo trish1 linda17 monica nicole angel_f mellany iguana17 blade badgirl wizzard

4. The worm now uses both EXE and SCR extensions for its files when it spreads. The SCR extension is first used in version 5.1 of the worm.

5. The worm can send out files that have the following strings in their names:

 game data program egg credits quote fax read help bot script perl cgi cpp vbs js htm

 yahoo aol mail ebay spoof login user pass account charge billing payment

 cc- cc's visa credit kreditkarte cardnumber cardtype address expir cvv2

6. The worm has a bit different payload. It can detele all files from the Desktop or 'My Documents' folder. Also it can delete files with the following extensions:

 txt wri doc

or

 ods mmf nch mbx eml tbb dbx wab

Also, like in version 4.1, the worm can delete all files from a hard drive when its main configuration files are deleted from Windows System folder or its Registry keys are removed from the Registry more than 2-3 times.

7. The worm avoids to send messages to e-mail addresses containing strings from the following lists:

 faq join download daemon list sub news mailer user serv anyone you@ me@ info secur corp sales

 microsoft msdn mcafee panda norton bullguard kaspersky safe admin master support help inc

8. When spreading in local network, the worm tries to locates folders with the following names on shared resources:

 WINDOWS WIN WIN95 WIN98 WINME DIR

If such folder is located, the worm copies itself to that folder and modifies WIN.INI file there. This is done to infect remote Windows 9x computers. Infection will, however, happen when a remote computer is restarted.

9. The worm can keep its configuration and dropper files in Windows root folder now. In version 4.1 configuration files were stored in Windows System folder.

Detection and disinfection

F-Secure Anti-Virus detects Roro.51 worm with the latest updates. Disinfection of the worm can't be performed by FSAV as Roro kills F-Secure Anti-Virus tasks and removes its files.

F-Secure provides the special tool to disinfect several Roron worm variants. The tool can be downloaded from our ftp site:

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-roron.zip

IMPORTANT: Please read the supplied Readme.txt file carefully before using the disinfection tool. You can also read the Readme.txt file if you click on this link:

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-roron.txt

[Analysis: Alexey Podrezov; F-Secure Copr.; January 30th, 2003]