Threat Description

Roron

Details

Category: Malware
Type: Worm
Platform: W32
Aliases: Roron, I-Worm.Roron.12, Roro, Oror

Summary


Roro, is an e-mail, P2P (peer-to-peer), IRC and a network worm. F-Secure has receive reports of this worm mostly from Bulgaria. There are alredy six known variant of this worm.

Roron spreads via the Internet as an attachment to infected emails and via network shared drives and the KaZaa network. The worm also has an IRC-based backdoor.

The worm itself is a Windows PE EXE file about 120KB in length, written in Microsoft Visual C++.



Removal


Removal

To remove worm from the system you should scan all drives on your computer with anti-virus program, remove all worm copies from the system, and then remove worm data file (winfile.dll) and the worm's registry keys (see above).

Important NOTE: if the worm registry keys or "winfile.dll" file is removed, but there is at least one worm copy left on the computer - this may activate the worm to remove all files from your system.



Technical Details


Installing

While installing the worm copies itself to the Windows directory with the "rundll16.exe" name and registers this file in system registry auto-run keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run   LoadCurrentProfile = Rundll16.exe powprof.dll,LoadCurrentUserProfile  HKCR\exefile\shell\open\command   %WinDir%\Rundll16.exe "%1" %*  HKCR\regfile\shell\open\command   %WinDir%\Rundll16.exe regedit.exe "%1"  

The worm also copies itself to Windows system dir and to "Program Files" dir. To select the destination name the worm gets random file names from victim directories, or directory names, and adds one of random selected extensions:

98.exe  16.exe  32.exe  

For example, worm copies may have following names:

Program Files\Online Services\Online Service16.exe  Windows\System\browseui16.exe  

These files are as well registered in the Registry HKLM\...\Run=

keys and/or in WIN.INI file in the [windows] section in "run=" instruction.

The worm then may display following fake message:

WinZip Self-Extractor License Confirmation  Your version of WinZip Self-Extractor is not licensed, or the  license information is missing or corrupted. Please contact  the program vendor or the web site (www.WinZip.com) for  additional information.  

The worm also creates its data file in Windows directory, and uses it for its internal needs (it stores its variables in there). The file name is winfile.dll

The worm copies may be found under the following names as well (this list is referred to later as the 'names list'):

Zip Password Recovery v4.5.exe  Star Craft 2 Trailer.exe  WWF!!_The_ROCK(sHOw).exe  cRedit CarDs gEn v1.2.exe  WinZip 8.2 (Cracked).exe  GTA 3 Bonus Cars.exe  Eminem Desktop.exe  DMX tHeMe (full).exe  NFS 5 Bonus Cars.exe  Counter Strike 1.5 (Editor).exe  Madonna - My Life (Review).exe  DivX 5.4 Bundle.exe  KaZaA Media Desktop v1.8.3.exe  Win XP key gen 2.1B.exe  Serials 2002 Update.exe  
Emails

The infected messages have different Subjects, Bodies and Attached file names (see below).

The worm activates from infected email only in case a user clicks on attached file. The worm then installs itself to the system, runs spreading routine and payload.

To send infected messages the worm uses Windows MAPI functions and sends messages to all addresses found in messages from Email boxes.

Attached file names are selected from the following variants:

Star Craft 2 Trailer.exe  WWF_The_ROCK(sHOw).exe  Sound Factory SFX.exe  Eminem Desktop.exe  DMX tHeMe (full).exe  Love Zodiak.exe  [TNT]GeN.exe  Worm Guard.exe  mTV Charts.exe  Setup.exe  mTV Charts.exe  

Subjects and Message bodies are randomly selected from the variants displayed below, where %s is one of the EXE file names listed above. The following text is written in Bulgarian and English.

Zdrasti..  Hey, kak varvi, neshto novo ima li :) Adski mi sa spi, daje  ei sq smqtam da si legna ama purvo shte si vzema edin dush :))  Skoro shti pratq onva deto obeshtah, za sq mojesh da  hvarlish edno oko na %s - ako imash nqkvi predlojeniq,  komentari ili kakvoto i da e pishi mi :)) Aide doskoro i umnata  ~pPp  Ohoo!!  Zdravei, zdrasti, dai pari za pasti :)) Ko praish? Za teb  neznam ama v momenta se chustvam mnoo qko i reshih da ti  pisha :) Kolko ti e rekorda na minichkite? Toku shto na  Expert razminirah za 2 minuti :))) Ei sq smqtam da si vzema  nqkoi qk film i da gledam. Hodil li si na %s - Mnoo me  kefi :)) Za drugo ne se seshtam tai che chao za sega :))  Ei dupe :)  Zdrasti :)) Nqma da povqrvash kakvo mi se sluchi neska :) Vidqh  Slavi Trifonov i nqkvi mnoo qki madami s nego :))) Ko  shi kaish a? Misleh da mu iskam avtograf ama me dosramq :((  Karai, drug pat ~pP. Begai na %s :) Malko e stranen, no ne e  losh. Hmm, ti ko praish? Pishi mi :)  Chao  Liubofta e kato Rai, no moje da boli kato Ad  Zdr, izpratih na vsichki edna programka, mnoo qka, btw to imeto  si pokazva. Subject-a e ot tam i ima i drugi mnogo qki  misli. Moje da pokaje nai-podhodqshtiq partnior v  liubofta :)) Ujasno e kak liubofta moje da ubie vsichko v  teb.. Za shtastie ne vinagi e taka :) Inache nishto novo,  karam q nqkak.. Sega trqbva da izlizq za malko tai che  bye :))  ZzZz :)  Zdrasti, kak q karash :) az sam dobre, makar che naposledak  imam malko problemi. Tvarde mnogo mi se strupa navednaj,  udarih si rakata ei sq i mnogo me boli.. Kakvo da se pravi,  takav e jivota.. Vchera namerih nqkav generator na  kreditni karti i mai bachka, samo edin put go probvah ama  stana, vij dali pri teb sha raboti i umnata :) Ai  doskoro :)) Chao ti  Vajno!!  Ima nov opasen virus v neta! Razprostranqva se predimno po IRC  i ICQ. Vnimavai da ne se zarazish, zashtoto iztriva Mp3-ki,  Filmi i Dokumenti. Izpratih ti patch, koito shte te  paziot zarazqvane. Iskah da napisha po-dulgo pismo, no nqmah  vreme, sorka.. Naposledak imam adski mnogo rabota  nalqvo nadqsno :)) Inache kak varvi? Chao i watch out :)))  Bla Bla :)  Hi, kak e :) ko si praikash? az si slusham muzichka - ATC i  Mortal Kombat Soundtrack - Varhovni sa, napravo  izbuhnah :))) Drapnah si gi ot neta s taq programka - ima  200 kubriliona klasacii :) Naposledak muzikata e edno ot  malkoto mi udovolstviq  P.S. Obezatelno si drapni ATC - Why oh why.mp3 :))  Chao, doskoro!!  HeY..  HeY.. Buddz what'z up :) How are you? I'm fine, 10x!! My friend  Nina is here and we are.. You know :) Lalala !! Be  happy, don't worry ~pPp. Btw check this site - %s, it's  fresh :)) I'm a little drunk and i've gotta go now !! Wish  me luck :)) Cya  ZzZz :)  Hi buddy, what's up :)) I've only wanted to remind you not to  forget about our little, dirty secret :) And don't tell  anybody :Ppp. Have you seen this site - %s c00l :) Leave  this away, how are you? Send me sth cool, plzz:) bye! :)  BlaBla  Hey :) Wasupp ~Pp I wanted to write you a letter, but i didn't  know what to talk about actually :) Have you ever done an IQ  test, i've just scored 120 points :) I'm not sure if this is  good or bad, who cares :) Have you visited %s :) Finally,  how are you:) i'll be very happy if you send me 1,2  funny cards :)))) bye! :)  Be careful  There is a new, dangerous virus in the net. It's called Roro  and it's using IRC to infect computers. The virus deletes  movies, music and system files. To prevent from  infecting,  install McAfee Anti-Script 2002. It's a 30-  days demo..  So, how are you? Good, Bad? I'm oK. I wanted to write you a  longer letter, but i didn't have enough time.. sorry. Bye  yoOo ;)  YoOo :)) What a nice day, what a nice time :) What a nice  world :)) Do you have Blade 2? I've just watched it twice,  it's marvellous! lol ~pPp Do you have any ATC's mp3z?  CooL :))) I've found them with this program, it's like  Napster, but it's legal :))  P.S. Download ATC - Why oh why.mp3 !!! Bye ~~~~ppPpP ;)  Wow..  Hello :>> How are you? What're you doing :) Do you have Blade  2? I've just watched it twice, it's marvellous! You can't  guess what I've found.. A working Credit Card generator :)))  I purchased a bride from Russia yesterday :) LoL.. I gave a fake  address of course :))) Promise me not to send it to  anybody! Don't go too far and watch out :)) Bye..  Hi!!  Hey you!! Wasssssssuppppppp :)))) Where are you? What are you  doing? I've just got high in the sky, my oh my :)) It's like  I don't care about nothing man :)) sMiLe :oP~pPPPpp I send  you a sexy, little thing :)) Everything is just an illusion.  Believe me.. It's time to say goodbye  now.. See you  
Infecting Network

The worm looks for remote drives and copies itself to there with one of randomly selected names from "names list" (see above). The worm is able to affect a drive only in case the drive is open for full access.

The worm looks for remote drives by two methods: enumerates all available logical drives (from C: till Z:) , gets their type and infect them in case they are shared network drives enumerates network resources by using Windows API functions, and affects found drives.

To start its copy on next Windows restart on remote machine the worm writes to the "autorun.inf" file on the remove drive the "OPEN=" command.

Infecting KaZaa

The worm copies itself to KaZaa file sharing folder with random selected name from the "names list" above.

IRC-backdoor

The worm looks for mIRC client files, and injects new INI file to there, the new INI file name is randomly selected from variants:

alias.ini  server.ini  notes.ini  popup.ini  

The worm's INI file is a backdoor script program. By connecting to IRC channels it allows to remote hacker to have control over infected machine: send/receive/execute files, send spam messages, restart machine, send PC information out, e.t.c.

Payload

The worm removes all files on all available local drives if:

- current date is 9th or 19th  - in case worm's "winfile.dll" is removed from Windows directory  - in case worm's Registry Run= keys are removed  - depending on its random counter  
Other

The worm tries to terminate anti-virus programs by using ID strings:

black,panda,shield,guard,scan,mcafee,nai_vs_stat,iomon,  navap,avp,alarm,f-prot,secure,labs,antivir,zone,  virus,worm,antivir,f-secure,f-prot,kaspers  

By using the same strings the worm looks for anti-virus disk files (anti-virus software installed on the system), and deletes these files.

The worm also creates system mutex "RoRo" to avoid multiple copies in Windows memory.



Detection


F-Secure Anti-Virus detects all these variants with the update published on November 6th, 2002:

Detection Type: PC
Database: 2002-11-06_03



Technical Details:Kasperky Lab and F-Secure Corp.; November 6th, 2002


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More