However there are a few differences in version 5.1 comparing to
version 4.1 of Roro worm:
1. The worm now displays one of its four fake error messages when
its file is started for the first time:
WinZip Self-Extractor License Confirmation
Your version of WinZip Self-Extractor is not licensed, or the license information is missing or corrupted.
Please contact the program vendor or the web site (www.WinZip.com) for additional information.
Cannot open file: it does not appear to be a valid program
If you downloaded this file, try downloading file again.
Error Starting Program
The <file_name> file expects a newer version of Windows.
Upgrade your Windows version.
<file_name> is not a valid Win32 application.
where the <file_name> represents the name of the file where the
worm started from.
2. The new worm variant has several additional message templates
that it uses to send itself from an infected system:
Preotkrii sebe si
Zdravei, ako si poluchil tova pismo znachi nqkoi priqtel ti go e
pratil. Celta na pismoto e da ti pomogne da razberesh koi si
vsushnost. Originalnata ideq e na Dalai Lama i tova e nein
interaktiven variant. Predi da otvorite test-a si namislete
edno jelanie, otgovorete na 5-te vuprosa i sled kato poluchite
jelanite otgovori shte poluchite edno chislo. Za da vi se izpulni
jelanieto trqbva da pratite tova pismo na tolkova priqteli. Testa
se pravi samo vednuj, poneje sled tova nqma da poluchite obektivna
"Za da navlezem v sveta na drugite,
purvo trqbva da budem nqsno sys sebe si" - Dalai Lama.
P.S. Tozi test e samo za lichna upotreba, i ne biva da bude
izpolzvan za kakvito i da bili komersialni celi.
Explore your soul
Hello, if you are reading this letter, it means that a friend
of yours has sent it to you. The idea is to help you realize who
you are indeed. This is an interactive variant, based on the
original tests of Dhalai Lama, a great indian philosopher.
Before you open the test, you should make a wish. Answer to
the 5 questions honestly, after that you will recieve a number.
If you want your wish to come true you must send this letter
to that count of your friends. You can make the test only
once, because after that the results won't be real.
"If you want to enter the other's world,
you should explore your soul first" - Dhalai Lama.
P.S. This test is for personal use only, and should not
be used with commercial purposes.
MiamiGirls.com Free Subscription_
On the occasion of it's 3th anniversary MiamiGirls.com wants
to offer you even more pleasure than before. There are several
new promotions and if you are interested you can watch the free
demo and subsequently contact our web page. If you join now,
the first month of your membership will be free.
Thousands of hot teen pics and videos are available for you.
Image Galleries, Cumshots, LiveCams, Hot Video Chat, Erotic
Stories, XXX Lessons, Kama Sutra, Celebrities.. We provide
the best services for our members.
This site contains adult material that is unsuitable for those
under the age of 18.
Additionally the Yahoo! Games-related message is now sent with
'Yahoo!Baseball.scr' attachment. Also the Yahoo! Greeting-related
message is sent with 'Yahoo!Winter.scr' attachment.
3. The worm can compose fake e-mail addresses from the following
parts that are hardcoded in its body:
hotmail.com yahoo.com mail.com yahoo.co.uk usa.net europe.com aol.com
blue16 tweety alice jane17 badboy rap_girl CrazyGirl happy amanda crazy mickey lady_f alex15 sunny dave panda_f
dreamy candy_f bryan16 jerry baby_17 neo trish1 linda17 monica nicole angel_f mellany iguana17 blade badgirl wizzard
4. The worm now uses both EXE and SCR extensions for its files
when it spreads. The SCR extension is first used in version 5.1
of the worm.
5. The worm can send out files that have the following strings in
game data program egg credits quote fax read help bot script perl cgi cpp vbs js htm
yahoo aol mail ebay spoof login user pass account charge billing payment
cc- cc's visa credit kreditkarte cardnumber cardtype address expir cvv2
6. The worm has a bit different payload. It can detele all files
from the Desktop or 'My Documents' folder. Also it can delete
files with the following extensions:
txt wri doc
ods mmf nch mbx eml tbb dbx wab
Also, like in version 4.1, the worm can delete all files from a
hard drive when its main configuration files are deleted from
Windows System folder or its Registry keys are removed from the
Registry more than 2-3 times.
7. The worm avoids to send messages to e-mail addresses
containing strings from the following lists:
faq join download daemon list sub news mailer user serv anyone you@ me@ info secur corp sales
microsoft msdn mcafee panda norton bullguard kaspersky safe admin master support help inc
8. When spreading in local network, the worm tries to locates
folders with the following names on shared resources:
WINDOWS WIN WIN95 WIN98 WINME DIR
If such folder is located, the worm copies itself to that folder
and modifies WIN.INI file there. This is done to infect remote
Windows 9x computers. Infection will, however, happen when a
remote computer is restarted.
9. The worm can keep its configuration and dropper files in
Windows root folder now. In version 4.1 configuration files were
stored in Windows System folder.
Detection and disinfection
F-Secure Anti-Virus detects Roro.51 worm with the latest updates.
Disinfection of the worm can't be performed by FSAV as Roro kills
F-Secure Anti-Virus tasks and removes its files.
F-Secure provides the special tool to disinfect several Roron
worm variants. The tool can be downloaded from our ftp site:
IMPORTANT: Please read the supplied Readme.txt file carefully
before using the disinfection tool. You can also read the
Readme.txt file if you click on this link:
[Analysis: Alexey Podrezov; F-Secure Copr.; January 30th, 2003]