Home > Threat descriptions >

Roron.41

Classification

Category: Malware

Type: -

Aliases: Roron.41, I-Worm.Roron.P, W32/Roro.P, Roro, Roron, Oror, I-Worm.Roron.41

Summary


Roron.P is a powerful email, P2P (peer-to-peer) and network worm with password stealing and backdoor capabilities. It appeared in the end of year 2002 but it never became too widespread. Several new versions of the worm has appeared since then.

The worm removes specific anti-virus and security software and prevents its installation. It's not trivial to remove the worm from an infected system as it has a payload that it can activate when an infected system is being disinfected. The payload deletes all files from all available hard drives in case it's activated. The files however can be recovered with the special commercial software.

Removal


Detection and disinfection

F-Secure Anti-Virus detects Roro.P worm with the latest updates. Disinfection of the worm can't be performed by FSAV as Roro kills F-Secure Anti-Virus tasks and removes its files.

Manual disinfection of the worm is not recommended as it can trigger a payload and result in deletion of files from all available hard drives. If you are infected with Roro worm, please contact F-Secure Virus Research Team by sending an email and a sample (if possible) to our sample submission address.

F-Secure provides the special tool to disinfect several Roron worm variants. The tool can be downloaded from our ftp site:

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-roron.zip

IMPORTANT: Please read the supplied Readme.txt file carefully before using the disinfection tool. You can also read the Readme.txt file if you click on this link:

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-roron.txt

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


The worm's file is a Windows PE executable 68608 bytes long. It is packed with UPX file compressor. The unpacked worm's size is about 145 kilobytes.

Installation to system

When the worm is run for the first time, it shows a fake error message:

Error Starting Program  The  file expects a newer version of Windows.  Upgrade your Windows version.  

where the <file_name> represents the name of the file where the worm started from.

Then the worm installs itself to system. It copies itself to system several times with semi-randomly generated names. The generated worm's file name can contain one of the following parts:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

The generated name can also contain 1-4 random characters. For example on our test system the worm copied itself as "DXTRVA16.EXE" file. The worm copies its file with a generated name into Windows System directory and creates a startup key for that file in the Registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]  "LoadProfile" = " powprof.dll,LoadCurrentUserProfile"  

where the <worm_file_name> is the name of worm's file.

Also the worm can copy itself to different folders in Program Files folder tree borrowing the name of that folder and adding one or more parts from the above list. For example on our test system the worm copied itself to "C:\Program Files\Online Services\" folder with "Online Services32.exe" name. The worm creates an autostartup key for the copied file in the Registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]  "" = ":\\"  

where <drive> is the logical drive name, <path> is a directory name and the <worm_file_name> is the name of worm's file. The name of the Registry key is the same as the folder's name.

Additionally the worm can copy copies itself to system taking one of existing file names and adding one or more parts from the above given list to it. For example on our test system the worm copied itself as "MSTCP32.EXE" file to Windows System folder. The worm modifies WIN.INI file's run= variable to load the copied file on every Windows startup:

[Windows]  run=\  

where the <winsysdir> is the name of Windows System directory and the <worm_file_name> is the name of worm's file.

The Roro worm also modifies the default EXE file startup key in order to be run when a user tries to start an EXE file:

[HKCR\exefile\shell\open\command]  @ = "\ "%1" %*"  

where the <winsysdir> is the name of Windows System directory and the <worm_file_name> is the name of worm's file.

The worm creates several configuration files where it stores its settings, file named and email addresses. These configuration files also have generated file names, for example on our test system these files names were "DXTASK16.DLL", "SYSTRVA_.DEF" and "TRVA98.SYS".

The worm creates several threads. One thread updates the EXE file startup key if it is changed. The other thread re-creates worm's files if they are changed. The main worm thread keeps stopping and removing anti-virus and security software and is responsible for mass-mailing, spreading to network shares and for payload activation.

Affecting IRC client

If the worm finds an IRC client, it can replace one of its configuration files (INI scripts) with its own script that is more than 37 kilobytes long. The worm's IRC script is very powerful and it allows to perform the following actions:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

This backdoor (hacker's remote access) script allows a hacker to get a limited control over infected system.

Spreading via Kazaa

When the worm finds a Kazaa file sharing client, it allows sharing the content (if it was not allowed) and copies itself to Kazaa shared folder. The worm generates file names from the lists by adding contents of list A to list B and adding EXE extension:

List A:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

List B:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

The worm can also use the following list:

List A:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

List B:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

The files copied to Kazaa shared folder have different length as the worm writes itself multiple times there. This is done to trick other Kazaa users to download files whose size might match their content. The worm's own size is only 68 kilobytes and to pretend to be a movie or installation package the worm has to increase its size significantly.

Infecting local network

The Roro.P worm tries to infect computers connected to the same LAN (local area network) as the infected computer. The worm looks for shared network resouces and network drives and copies itself to these drives. In the same folder the worm creates the AUTORUN.INF file with the following content:

[Autorun]  OPEN=  

where the <worm_file_name> is the name of the worm's file (see the name generation lists in "Spreading via Kazaa" section). The files are copied to remote computer have different length as the worm writes itself multiple times there.

The trick with Autorun.inf file is that when a computer is restarted, Windows loads the Autorun.inf file from the root folder of a drive (in case AutoPlay function is enabled) and starts a program listed there after OPEN= variable. Originally the Autorun.inf functionality was developed to start setup/intro programs from CD-ROMs automatically but this approach also works for hard drives. However older Windows systems are not affected.

Spreading in email

The Roro.P worm spreads itself in email messages. It can send messages of different types. The first type of message is a fixed message. Fixed infected messages look like that:

From:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Subject:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Body:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Attachment:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

More message variants:

From:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Subject:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Body:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Attachment:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Another message variant:

From:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Subject:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Body:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Attachment:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

More message variants:

From:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Subject:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Body:

Surprise! You've just received a Yahoo! Greeting  from "" ()!  This is an interactive greeting card  and requires Flash Media Player.  Enjoy!  The Yahoo! Greetings Team.  -----------------  Yahoo! Greetings is a free service. If you'd like to send someone a  Yahoo! Greeting, you can do so at http://greetings.yahoo.com'  

Attachment:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

or:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

More message variants:

From:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Subject:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Body:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Attachment:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Another message variant:

From:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Subject:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Body:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Attachment:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

And one more variant:

From:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Subject:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Body:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Attachment:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

The second type of message is a semi-randomly generated message. The worm randomly chooses subject, body and attachment name for the message.

Subject can be one of the following:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

The subject can be followed by one of the following:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Message body is selected from the following variants:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

or:

Zdravei :)) Da ne me zabravi ve4e :) Ko praish? Za teb neznam  ama v momenta se chustvam mnoo qko i reshih da ti pisha :) Kolko  ti e rekorda na minichkite? Toku shto na Expert razminirah za 2 minuti :))  Ei sq smqtam da si vzema nqkoi qk film i da gledam.  Hodil li si na  - Mnoo me kefi :)) Za drugo ne se  seshtam tai che chao za sega :)) I da pishesh :pP  

or:

Hey :) Kak si? Otdavna ne sme se chuvali :)) Kak q karash, neshto  novo ima li? Nqma da povqrvash kakvo mi se sluchi neska :)  Vidqh Slavi Trifonov i nqkvi mnoo qki madami s nego :))) Ko shi kajesh a?  Misleh da mu iskam avtograf ama me dosramq :(( Karai, drug pat ~pP.  Skoro shti pratq onva deto obeshtah, za sq mojesh da hvarlish edno  oko na  :) Ako imash nqkvi predlojeniq  pishi mi :)) Aide doskoro i umnata ~pP  

or:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

or:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

or:

Hey :) Wasupp ~Pp I wanted to write you a letter, but i didn't  know what to talk about actually :) Have you ever done an IQ test?  I've just scored 120 points :) I'm not sure if this good or bad is,  but who cares :) Have you visited  :) Finally,  how are you:) I'll be very happy if you send me 1,2 funny cards :)) bye! :)  

or:

Hi again :)) Where are you? Don't you chat any more? I haven't  seen you so long :)) Well, I've got a lot to tell you about. The  Summer vacation was too good to be true. Beach, disco's, friends..  Unfortunately, it's Winter now and the temperatures here are very  low. I was ill almost 2 weeks. Quite unpleasant :(( Have you  visited , a little bit strange, but nice :))  Finally, how are you? Write to me :)) Byeee :pP  

or:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

or:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

or:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

The above messages can be followed by one of the following lines:

P.S. Hvarli edno oko na  :))  P.S. Bqgai na  mnoo zdravo flash4e ima :pP  P.S. Be happy, don't worry ~pPp. Check this -  Cool :))  P.S. Have you visited  :) Co0l :))  

The website name is generated by the worm.

Attachments to the generated infected messages can be named:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Also the worm can generate attachment file names from the lists by adding contents of list A to list B and adding EXE extension:

List A:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

List B:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

The worm can also use the following list:

List A:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

List B:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

The worm collects email addresses from user's hard drive and stores them in one of its configuration files together with a flag that shows whether an infected email was sent to that address or not.

Infected messages contain Iframe exploit that allows the worm's attachment to be automatically run when an infected message is being viewed using certain unpatched versions of email browsers. This vulnerability is fixed and a patch for it is available on Microsoft site:

https://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp

Affecting security and anti-virus software

The worm does not allow programs that have the following substrings in their file names to start:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

When the worm locates an active program that contains a substring from the below given list in its window title, it terminates that program's task and deletes all files in a directory where that program is located:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.
Stealing passwords

The worm has the ability to retrieve cached Windows passwords and to store them in a special file. This file can be then picked by a hacker.

Payload

Based on the settings in configuration file the worm can delete files with the following extensions:

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

or

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

or

Error Starting Program
The
file expects a newer version of Windows.
Upgrade your Windows version.

Also the worm can delete all files from a hard drive when its main configuration files are deleted from Windows System folder or its Registry keys are removed from the Registry more than 2-3 times.