1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Roron.41

Roron.41

ALIAS:I-Worm.Roron.P, W32/Roro.P, Roro, Roron, Oror, I-Worm.Roron.41
ORIGIN:Bulgaria
SIZE:68608

Summary

Roron.P is a powerful e-mail, P2P (peer-to-peer) and network worm with password stealing and backdoor capabilities. It appeared in the end of year 2002 but it never became too widespread. Several new versions of the worm has appeared since then.

The worm removes specific anti-virus and security software and prevents its installation. It's not trivial to remove the worm from an infected system as it has a payload that it can activate when an infected system is being disinfected. The payload deletes all files from all available hard drives in case it's activated. The files however can be recovered with the special commercial software.

Additional Details

The worm's file is a Windows PE executable 68608 bytes long. It is packed with UPX file compressor. The unpacked worm's size is about 145 kilobytes.

Installation to system

When the worm is run for the first time, it shows a fake error message: 

 Error Starting Program


 The <file_name> file expects a newer version of Windows.
 Upgrade your Windows version.

where the <file_name> represents the name of the file where the worm started from.

Then the worm installs itself to system. It copies itself to system several times with semi-randomly generated names. The generated worm's file name can contain one of the following parts: 

 _
 run
 dx
 cmd
 16
 32
 98
 lib
 vxd
 sys
 dll
 cfg
 def

The generated name can also contain 1-4 random characters. For example on our test system the worm copied itself as "DXTRVA16.EXE" file. The worm copies its file with a generated name into Windows System directory and creates a startup key for that file in the Registry: 

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "LoadProfile" = "<worm_file_name> powprof.dll,LoadCurrentUserProfile"

where the <worm_file_name> is the name of worm's file.

Also the worm can copy itself to different folders in Program Files folder tree borrowing the name of that folder and adding one or more parts from the above list. For example on our test system the worm copied itself to "C:\Program Files\Online Services\" folder with "Online Services32.exe" name. The worm creates an autostartup key for the copied file in the Registry: 

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "<path>" = "<drive>:\<path>\<worm_file_name>"

where <drive> is the logical drive name, <path> is a directory name and the <worm_file_name> is the name of worm's file. The name of the Registry key is the same as the folder's name.

Additionally the worm can copy copies itself to system taking one of existing file names and adding one or more parts from the above given list to it. For example on our test system the worm copied itself as "MSTCP32.EXE" file to Windows System folder. The worm modifies WIN.INI file's run= variable to load the copied file on every Windows startup: 

 [Windows]
 run=<winsysdir>\<worm_file_name>

where the <winsysdir> is the name of Windows System directory and the <worm_file_name> is the name of worm's file.

The Roro worm also modifies the default EXE file startup key in order to be run when a user tries to start an EXE file: 

 [HKCR\exefile\shell\open\command]
 @ = "<winsysdir>\<worm file name> "%1" %*"

where the <winsysdir> is the name of Windows System directory and the <worm_file_name> is the name of worm's file.

The worm creates several configuration files where it stores its settings, file named and e-mail addresses. These configuration files also have generated file names, for example on our test system these files names were "DXTASK16.DLL", "SYSTRVA_.DEF" and "TRVA98.SYS".

The worm creates several threads. One thread updates the EXE file startup key if it is changed. The other thread re-creates worm's files if they are changed. The main worm thread keeps stopping and removing anti-virus and security software and is responsible for mass-mailing, spreading to network shares and for payload activation.

Affecting IRC client

If the worm finds an IRC client, it can replace one of its configuration files (INI scripts) with its own script that is more than 37 kilobytes long. The worm's IRC script is very powerful and it allows to perform the following actions: 

 remote access (upload/download files, browse content of remote user's drives)
 perform DoS attack (Denial of Service)
 get user's passwords (password stealing)
 cloning (create multipe essenses on IRC server)
 extract e-mail addresses from remote user's Outbox
 extract e-mail addresses from remote user's HTML files
 open URLs on remote user's computer
 advertise different websites from the hardcoded list
 various actions (get info about trojan, shut down or restart Windows, execute files,
  set mode, run sniffer, delete files)

This backdoor (hacker's remote access) script allows a hacker to get a limited control over infected system.

Spreading via Kazaa

When the worm finds a Kazaa file sharing client, it allows sharing the content (if it was not allowed) and copies itself to Kazaa shared folder. The worm generates file names from the lists by adding contents of list A to list B and adding EXE extension:

List A: 

 KaZaA Media Desktop v2.0.8_
 Serials 2K 7.2 (by SNTeam)_
 Serials2002_8.0(17.08.02)_
 Dreamweaver_5.0_Patch_
 ACDSee
 WinAmp_3.2_Cool_
 Download Accelerator 5.5_
 Nero Burning Rom 5.6.0.3_
 cRedit_CarDs_gEn
 MeGa HACK
 Zip Password Recovery
 GTA 3 Bonus Cars(part1)_
 EminemDesktop
 DMX tHeMe
 NFS 5 Bonus Cars_
 Counter Strike 1.5 (Editor)_
 Madonna Desktop
 WinZip 8.2_
 DivX 5.4 Bundle_

List B: 

 7.1 FULL
 v5.5
 (zip)
 3.0
 (Eng)
 (Cracked)

The worm can also use the following list:

List A: 

 PcDudes
 BritneyUltimate
 Pamela 3D_
 Britney Suxx
 KamaSutra
 LaFemmeNikita
 Teen Sex Cam
 Lolita
 Pam Anderson Theme
 Sexy Teens Desktop
 SexSpy
 Anal Explorer
 VirtualRape
 Hot Blondies
 Strip Kournikova

List B: 

 (sHow)
 3D
 3.0
 (Eng)
 v4.5
 (Rated)

The files copied to Kazaa shared folder have different length as the worm writes itself multiple times there. This is done to trick other Kazaa users to download files whose size might match their content. The worm's own size is only 68 kilobytes and to pretend to be a movie or installation package the worm has to increase its size significantly.

Infecting local network

The Roro.P worm tries to infect computers connected to the same LAN (local area network) as the infected computer. The worm looks for shared network resouces and network drives and copies itself to these drives. In the same folder the worm creates the AUTORUN.INF file with the following content: 

 [Autorun]
 OPEN=<worm_file_name>

where the <worm_file_name> is the name of the worm's file (see the name generation lists in "Spreading via Kazaa" section). The files are copied to remote computer have different length as the worm writes itself multiple times there.

The trick with Autorun.inf file is that when a computer is restarted, Windows loads the Autorun.inf file from the root folder of a drive (in case AutoPlay function is enabled) and starts a program listed there after OPEN= variable. Originally the Autorun.inf functionality was developed to start setup/intro programs from CD-ROMs automatically but this approach also works for hard drives. However older Windows systems are not affected.

Spreading in e-mail

The Roro.P worm spreads itself in e-mail messages. It can send messages of different types. The first type of message is a fixed message. Fixed infected messages look like that:

From: 
 support@yahoo.com

Subject: 
 Yahoo! Toolbar_

Body: 
 Yahoo! Team is proud to present our new surprise
 for clients of Yahoo! and Yahoo! Mail.


 Yahoo! Toolbar is an innovative technology, which
 helps you to access Yahoo! Services easier than ever.
 It is free and is a gift for the 5th anniversary of Yahoo!.
 We hope that you would like it.


 The whole Yahoo! Team want to express our gratitude to you,
 the people who help us to improve Yahoo! so much, that it
 became the most popular worldwide portal


 Thank You!


 We do our best to serve you.




 -------------
 Yahoo! Team.
 www.Yahoo.com

Attachment: 
 Yahoo!Toolbar.exe

More message variants:

From: 
 support@microsoft.com

Subject: 
 Virus Alert_

Body: 
 McAfee Antivirus warns about a new virus, called W32.Roro@mm.
 It is a high risk worm and it's using IRC and internet pages'
 to infect computers. The virus deletes movies, music and
 system files.


 Due to the significant increase of infected users,
 Microsoft Corporation, with the collaboration of
 McAfee Antivirus, supports clients of Microsoft Windows
 with a patch, which fixes a bug in Internet Explorer 5.5
 or minor versions. This bug allows internet pages
 to grant access to local resources of visitors.




 -----------------
 McAfee Antivirus
 www.McAfee.com

Attachment: 
 IE_0276_Setup.exe

Another message variant:

From: 
 support@winamp.com

Subject: 
 WinAmp Team_

Body: 
 Hello, WinAmp User. WinAmp Team is proud to present our new
 surprise for users of WinAmp. WinAmp 3.0 Final has been just
 released and we believe that it will be the player you've ever
 dreamed about.


 We plan to start a new tradition, sending the best skin or
 add-on to our users every week. This new service is free and
 we hope that you would like it.


 Everyone can offer us suggestions.


 We do our best to serve you.




 ----------------
 WinAmp Team.
 www.WinAmp.com

Attachment: 
 Iguana1.0_skin.exe

More message variants:

From: 
 greetings@reply.yahoo.com

Subject: 
 <user name> sent you a Yahoo! Greeting__

Body: 
 Surprise! You've just received a Yahoo! Greeting
 from "<user_e-mail>" (<user_name>)!


 This is an interactive greeting card
 and requires Flash Media Player.


 Enjoy!


 The Yahoo! Greetings Team.




 -----------------
 Yahoo! Greetings is a free service. If you'd like to send someone a
 Yahoo! Greeting, you can do so at http://greetings.yahoo.com'

Attachment: 
 Yahoo!Tomcats.exe
or: 
 Yahoo!Autumn.exe

More message variants:

From: 
 support@games.yahoo.com

Subject: 
 Yahoo! Games_

Body: 
 Yahoo! Team is proud to present our new surprise
 for clients of Yahoo! and Yahoo! Mail.


 We plan to send you the best Yahoo! Games weekly.
 This new service is free and it's a gift for the 5th
 anniversary of Yahoo!. We hope that you would like it.


 The whole Yahoo! Team want to express our gratitude to
 you, the people who help us to improve Yahoo! so much,
 that it became the most popular worldwide portal.


 Thank You!


 We do our best to serve you.




 -------------
 Yahoo! Team.
 www.Yahoo.com

Attachment: 
 Yahoo!Chess.exe

Another message variant:

From: 
 alert@computel.bg

Subject: 
 Vajno_

Body: 
 Panda Antivirus preduprejdava za nalichieto na nov virus
 v internet, narechen W32.Roro@mm. Razprostranqva se predimno
 po IRC i chrez zarazeni internet stranici. Sled zarazqvaneto
 toi iztriva mp3-ki, filmi i dokumenti.


 Poradi golemiq broi zarazeni bulgari prez poslednite
 nqkolko dena, Panda Antivirus zapochna razprostranenieto na
 patch, koito opravq bug v Internet Explorer 5.5 i minali
 versii, pozvolqvasht na stranici sas zlovredno sudurjanie
 da izpulnqvat komandi vurhu posetitelite.


 Druga nasha preporuka e ako ste veche zarazeni da ne
 opitvate da mahate virusa ruchno, a samo s antivirusna
 programa, poneje pri neuspeshen opit za premahvane
 W32.Roro iztriva razlichni vidove failove na operacionnata
 sistema.




 ------------------
 Panda Antivirus, Bulgaria.
 www.Computel.bg

Attachment: 
 IE50_032.exe

And one more variant:

From: 
 bg@microsoft.com

Subject: 
 Microsoft Bulgaria_

Body: 
 Blagodarenie na dulgogodishnite tradicii na Microsoft v Bulgaria
 i dobrata i suvestna rabota na vsichki neini podchineni, mojem
 nai-nakraq da pozdravim bulgarskiq potrebitel s prevod na
 Internet Explorer na bulgarski.


 Tova e edno uspeshno produljenie na iniciativata za prevejdane na
 Ms Office 2000 ® na rodniq ni ezik. Update-a e bezplaten i e
 podaruk po sluchai 10 godishninata na Microsoft v Bulgaria.


 Nadqvame se bulgarskite potrebiteli da ostanat dovolni, koeto shte
 bude nai-golemiq podaruk za nas.




 ---------------------
 Microsoft, Bulgaria.

Attachment: 
 IE_0274_bg.exe



The second type of message is a semi-randomly generated message. The worm randomly chooses subject, body and attachment name for the message.

Subject can be one of the following: 

 Zdrasti
 Zdr Otnovo
 Ohoo
 Ei dupe
 Pisamce
 TinKi WinKy
 ZzZz
 Bla Bla
 Hey
 Privet
 Boom
 HeY
 ZzZz
 Bla Bla
 HoWie
 Happy
 Hi Again
 Wow
 Hi
 Hello
 Hey Ya
 Boom
 Hi There

The subject can be followed by one of the following: 

 ..
 !!
 :)
 ;))
 :pP
 ~pPp
 :>
 !
 ;)

Message body is selected from the following variants: 

 Ekiput na Kefche.com ima radostta da pozdravi vsichki
 fenove na Kefcheto s 1-ta godishnina ot puskaneto na site-a.


 Nie se prevurnahme v nai-dobriq i poseshtavan bg site
 za zabavleniq i igri. Ot samoto si nachalo Kefche.com ima
 za cel da vi nosi samo i edinstveno smqh i zabava,
 nadqvame se che sme postignali celite si :))


 Po sluchai godishninata, ekiput ni poe iniciativata da
 izprashta vsqka sedmica nai-dobrite flash-cheta i
 igrichki na vsichki user-i poseshtavashti Kefche-to.


 Nadqvame se da vi haresa i tova da bude samo nachaloto
 na edno novo zabavlenie :))




 -----------------
 Kefche.com Team.

or: 

 Zdravei :)) Da ne me zabravi ve4e :) Ko praish? Za teb neznam
 ama v momenta se chustvam mnoo qko i reshih da ti pisha :) Kolko
 ti e rekorda na minichkite? Toku shto na Expert razminirah za 2 minuti :))
 Ei sq smqtam da si vzema nqkoi qk film i da gledam.
 Hodil li si na <web_site> - Mnoo me kefi :)) Za drugo ne se
 seshtam tai che chao za sega :)) I da pishesh :pP

or: 

 Hey :) Kak si? Otdavna ne sme se chuvali :)) Kak q karash, neshto
 novo ima li? Nqma da povqrvash kakvo mi se sluchi neska :)
 Vidqh Slavi Trifonov i nqkvi mnoo qki madami s nego :))) Ko shi kajesh a?
 Misleh da mu iskam avtograf ama me dosramq :(( Karai, drug pat ~pP.
 Skoro shti pratq onva deto obeshtah, za sq mojesh da hvarlish edno
 oko na <web_site> :) Ako imash nqkvi predlojeniq
 pishi mi :)) Aide doskoro i umnata ~pP

or: 

 Hey :)) Kak q karash? Pomnish li me oshte :))
 Nadqvam se che da. Baq vreme ne sme sa chuvali..
 Neshto novo ima li? Namerih edna mnoo qka programka
 i neznam zashto, no mi napomni za teb :))


 Kakvo pravi blondinka kato rodi bliznaci? - Chudi se koi e vtoriq tatko :)
 Kakva e razlikata mejdu 10 ovce i 3 blondinki? Otgovor: 7
 Kak mojesh da razsmeesh blondinka v petak? - Kato i razkajesh vic vav vtornik :)


 Kefqt li ta vicovete? Shegichka de :) Razkazva vicove na 5 minuti :))
 Posmqh se za baq vreme napred :pPpP Haide bye za sega, i da pishesh :))

or: 

 Zdrasti, ko staa :))) Baq vreme ne sme se chuvali. Beshe mi
 skuchno i si vikam shto da ne napisha nqkoi drugo pismo :))
 Sq i tva daskalo i napravo ujas, ne sa jivee :) Ti ostai drugoto
 ami i e studeno.. ~PpPp. Dano idva vakanciqta po skoro :)) Pishi
 neshto interesno, kak q karash, neshto novo ima li :) Pratih ti
 onva deto obeshtah, qko a :)) Aide i chakam..

or: 

 Hey :) Wasupp ~Pp I wanted to write you a letter, but i didn't
 know what to talk about actually :) Have you ever done an IQ test?
 I've just scored 120 points :) I'm not sure if this good or bad is,
 but who cares :) Have you visited <web_site> :) Finally,
 how are you:) I'll be very happy if you send me 1,2 funny cards :)) bye! :)

or: 

 Hi again :)) Where are you? Don't you chat any more? I haven't
 seen you so long :)) Well, I've got a lot to tell you about. The
 Summer vacation was too good to be true. Beach, disco's, friends..
 Unfortunately, it's Winter now and the temperatures here are very
 low. I was ill almost 2 weeks. Quite unpleasant :(( Have you
 visited <web_site>, a little bit strange, but nice :))
 Finally, how are you? Write to me :)) Byeee :pP

or: 

 Hi again :)) Where are you? Don't you chat any more? I haven't
 seen you so long.. Well, I've got a lot to tell you about. The
 Summer vacation was too good to be true. Beach, disco's, friends..
 Unfortunately, it's Winter now and the temperatures here are very
 low. I was ill almost 2 weeks. Quite unpleasant :(( Let's talk
 about you :) Are you oK? Are you in love :)) I sent you a surprise :))
 There are cool thoughts, especially about love. It's nice. I'm a
 little bit bored of these stupid computers, but I'm waiting for
 the reply :)) Bye!

or: 

 Hey, whatz up :)) Where are you? Don't you chat any more?
 I haven't seen you so long. Read this :))


  - What do blondes wear behind their ears to attract men? Their ankles!!
  - Why did god invent the female orgasm? So blondes know when to stop screwing!!
  - What is a blond with hair black colored? Artificial intelligence!


 Blondes forever!! :) Time off, i must go now, but i'll be very
 happy if you write to me soon :) Bye bye :))

or: 

 Hello :)) How are you? Do you remember me? I hope so :)) I've just
 watched Tomcats, it's marvellous :pP. The summer vacation is over and
 this is quite unpleasent :(( I have a lot to tell you about, later..
 You can't guess what I've found.. A working Credit Card generator :)))
 I purchased a bride from Russia yesterday :) LoL.. I gave a fake address
 of course :))) Don't go too far and watch out :))  I'll be very happy
 if you write to me soon :))) Bye..



The above messages can be followed by one of the following lines: 

 P.S. Hvarli edno oko na <web_site> :))
 P.S. Bqgai na <web_site> mnoo zdravo flash4e ima :pP
 P.S. Be happy, don't worry ~pPp. Check this - <web_site> Cool :))
 P.S. Have you visited <web_site> :) Co0l :))

The website name is generated by the worm.

Attachments to the generated infected messages can be named: 

 Blondes.exe
 [TNT]Gen.exe

Also the worm can generate attachment file names from the lists by adding contents of list A to list B and adding EXE extension:

List A: 

 install_en_
 ClubExtreme
 WWF_The_ROCK
 EminemDesktop
 Inter013_
 Story015_
 Gipsy
 sound_brake_
 Elfbowl
 Goggles
 snowball_fight_
 Chess
 Angel3D_
 BabyBlue

List B: 

 3.3
 (zip)
 (sHow)
 3D
 (Eng)
 _v1.1

The worm can also use the following list:

List A: 

 BoxDave_
 PcDudes
 Pamela3D_
 KamaSutra
 LaFemmeNikita
 Gipsy
 Fishfood
 install_en_
 Story017_
 Inter012_
 Actu002_
 Chess
 Angel3D_
 BabyBlue
 RedEyez
 Iguana

List B: 

 (sHow)
 3D
 (Eng)
 2.3

The worm collects e-mail addresses from user's hard drive and stores them in one of its configuration files together with a flag that shows whether an infected e-mail was sent to that address or not.

Infected messages contain Iframe exploit that allows the worm's attachment to be automatically run when an infected message is being viewed using certain unpatched versions of e-mail browsers. This vulnerability is fixed and a patch for it is available on Microsoft site:

http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp

Affecting security and anti-virus software

The worm does not allow programs that have the following substrings in their file names to start: 

 virus
 norton
 ice
 black
 cillin
 pc
 afee
 mc
 labs
 zone
 guard
 worm
 firewall
 esafe
 lockdown
 conseal
 antivir
 f-secure
 f-prot
 kaspers
 avp
 panda

When the worm locates an active program that contains a substring from the below given list in its window title, it terminates that program's task and deletes all files in a directory where that program is located: 

 black
 panda
 shield
 guard
 scan
 mcafee
 nai_vs_stat
 iomon
 navap
 avp
 alarm
 f-prot
 secure
 labs
 antivir



Stealing passwords

The worm has the ability to retrieve cached Windows passwords and to store them in a special file. This file can be then picked by a hacker.

Payload

Depending on the settings in configuration file the worm can delete files with the following extensions: 

 swf jpg mp3 mpg asf mov mpeg avi com bat sys ini exe dos

or 

 swf jpg mp3 mpg asf mov mpeg avi

or 

 swf jpg mp3 mpg asf mov mpeg avi bmp zip html htm wav ace rar doc txt pdf dos

Also the worm can delete all files from a hard drive when its main configuration files are deleted from Windows System folder or its Registry keys are removed from the Registry more than 2-3 times.

Detection and disinfection

F-Secure Anti-Virus detects Roro.P worm with the latest updates. Disinfection of the worm can't be performed by FSAV as Roro kills F-Secure Anti-Virus tasks and removes its files.

Manual disinfection of the worm is not recommended as it can trigger a payload and result in deletion of files from all available hard drives. If you are infected with Roro worm, please contact F-Secure Virus Research Team by sending an e-mail and a sample (if possible) to our sample submission address.

F-Secure provides the special tool to disinfect several Roron worm variants. The tool can be downloaded from our ftp site:

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-roron.zip

IMPORTANT: Please read the supplied Readme.txt file carefully before using the disinfection tool. You can also read the Readme.txt file if you click on this link:

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-roron.txt

[Analysis: Alexey Podrezov; F-Secure Copr.; January 24th, 2003]