Threat Description

Roron.41

Details

Aliases: Roron.41, I-Worm.Roron.P, W32/Roro.P, Roro, Roron, Oror, I-Worm.Roron.41
Category: Malware
Type:
Platform: W32

Summary


Roron.P is a powerful e-mail, P2P (peer-to-peer) and network worm with password stealing and backdoor capabilities. It appeared in the end of year 2002 but it never became too widespread. Several new versions of the worm has appeared since then.

The worm removes specific anti-virus and security software and prevents its installation. It's not trivial to remove the worm from an infected system as it has a payload that it can activate when an infected system is being disinfected. The payload deletes all files from all available hard drives in case it's activated. The files however can be recovered with the special commercial software.



Removal


Detection and disinfection

F-Secure Anti-Virus detects Roro.P worm with the latest updates. Disinfection of the worm can't be performed by FSAV as Roro kills F-Secure Anti-Virus tasks and removes its files.

Manual disinfection of the worm is not recommended as it can trigger a payload and result in deletion of files from all available hard drives. If you are infected with Roro worm, please contact F-Secure Virus Research Team by sending an e-mail and a sample (if possible) to our sample submission address.

F-Secure provides the special tool to disinfect several Roron worm variants. The tool can be downloaded from our ftp site:

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-roron.zip

IMPORTANT: Please read the supplied Readme.txt file carefully before using the disinfection tool. You can also read the Readme.txt file if you click on this link:

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-roron.txt



Technical Details


The worm's file is a Windows PE executable 68608 bytes long. It is packed with UPX file compressor. The unpacked worm's size is about 145 kilobytes.

Installation to system

When the worm is run for the first time, it shows a fake error message:

Error Starting Program  The  file expects a newer version of Windows.  Upgrade your Windows version.  

where the <file_name> represents the name of the file where the worm started from.

Then the worm installs itself to system. It copies itself to system several times with semi-randomly generated names. The generated worm's file name can contain one of the following parts:

_  run  dx  cmd  16  32  98  lib  vxd  sys  dll  cfg  def  

The generated name can also contain 1-4 random characters. For example on our test system the worm copied itself as "DXTRVA16.EXE" file. The worm copies its file with a generated name into Windows System directory and creates a startup key for that file in the Registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]  "LoadProfile" = " powprof.dll,LoadCurrentUserProfile"  

where the <worm_file_name> is the name of worm's file.

Also the worm can copy itself to different folders in Program Files folder tree borrowing the name of that folder and adding one or more parts from the above list. For example on our test system the worm copied itself to "C:\Program Files\Online Services\" folder with "Online Services32.exe" name. The worm creates an autostartup key for the copied file in the Registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]  "" = ":\\"  

where <drive> is the logical drive name, <path> is a directory name and the <worm_file_name> is the name of worm's file. The name of the Registry key is the same as the folder's name.

Additionally the worm can copy copies itself to system taking one of existing file names and adding one or more parts from the above given list to it. For example on our test system the worm copied itself as "MSTCP32.EXE" file to Windows System folder. The worm modifies WIN.INI file's run= variable to load the copied file on every Windows startup:

[Windows]  run=\  

where the <winsysdir> is the name of Windows System directory and the <worm_file_name> is the name of worm's file.

The Roro worm also modifies the default EXE file startup key in order to be run when a user tries to start an EXE file:

[HKCR\exefile\shell\open\command]  @ = "\ "%1" %*"  

where the <winsysdir> is the name of Windows System directory and the <worm_file_name> is the name of worm's file.

The worm creates several configuration files where it stores its settings, file named and e-mail addresses. These configuration files also have generated file names, for example on our test system these files names were "DXTASK16.DLL", "SYSTRVA_.DEF" and "TRVA98.SYS".

The worm creates several threads. One thread updates the EXE file startup key if it is changed. The other thread re-creates worm's files if they are changed. The main worm thread keeps stopping and removing anti-virus and security software and is responsible for mass-mailing, spreading to network shares and for payload activation.

Affecting IRC client

If the worm finds an IRC client, it can replace one of its configuration files (INI scripts) with its own script that is more than 37 kilobytes long. The worm's IRC script is very powerful and it allows to perform the following actions:

remote access (upload/download files, browse content of remote user's drives)  perform DoS attack (Denial of Service)  get user's passwords (password stealing)  cloning (create multipe essenses on IRC server)  extract e-mail addresses from remote user's Outbox  extract e-mail addresses from remote user's HTML files  open URLs on remote user's computer  advertise different websites from the hardcoded list  various actions (get info about trojan, shut down or restart Windows, execute files,   set mode, run sniffer, delete files)  

This backdoor (hacker's remote access) script allows a hacker to get a limited control over infected system.

Spreading via Kazaa

When the worm finds a Kazaa file sharing client, it allows sharing the content (if it was not allowed) and copies itself to Kazaa shared folder. The worm generates file names from the lists by adding contents of list A to list B and adding EXE extension:

List A:

KaZaA Media Desktop v2.0.8_  Serials 2K 7.2 (by SNTeam)_  Serials2002_8.0(17.08.02)_  Dreamweaver_5.0_Patch_  ACDSee  WinAmp_3.2_Cool_  Download Accelerator 5.5_  Nero Burning Rom 5.6.0.3_  cRedit_CarDs_gEn  MeGa HACK  Zip Password Recovery  GTA 3 Bonus Cars(part1)_  EminemDesktop  DMX tHeMe  NFS 5 Bonus Cars_  Counter Strike 1.5 (Editor)_  Madonna Desktop  WinZip 8.2_  DivX 5.4 Bundle_  

List B:

7.1 FULL  v5.5  (zip)  3.0  (Eng)  (Cracked)  

The worm can also use the following list:

List A:

PcDudes  BritneyUltimate  Pamela 3D_  Britney Suxx  KamaSutra  LaFemmeNikita  Teen Sex Cam  Lolita  Pam Anderson Theme  Sexy Teens Desktop  SexSpy  Anal Explorer  VirtualRape  Hot Blondies  Strip Kournikova  

List B:

(sHow)  3D  3.0  (Eng)  v4.5  (Rated)  

The files copied to Kazaa shared folder have different length as the worm writes itself multiple times there. This is done to trick other Kazaa users to download files whose size might match their content. The worm's own size is only 68 kilobytes and to pretend to be a movie or installation package the worm has to increase its size significantly.

Infecting local network

The Roro.P worm tries to infect computers connected to the same LAN (local area network) as the infected computer. The worm looks for shared network resouces and network drives and copies itself to these drives. In the same folder the worm creates the AUTORUN.INF file with the following content:

[Autorun]  OPEN=  

where the <worm_file_name> is the name of the worm's file (see the name generation lists in "Spreading via Kazaa" section). The files are copied to remote computer have different length as the worm writes itself multiple times there.

The trick with Autorun.inf file is that when a computer is restarted, Windows loads the Autorun.inf file from the root folder of a drive (in case AutoPlay function is enabled) and starts a program listed there after OPEN= variable. Originally the Autorun.inf functionality was developed to start setup/intro programs from CD-ROMs automatically but this approach also works for hard drives. However older Windows systems are not affected.

Spreading in e-mail

The Roro.P worm spreads itself in e-mail messages. It can send messages of different types. The first type of message is a fixed message. Fixed infected messages look like that:

From:

support@yahoo.com  

Subject:

Yahoo! Toolbar_  

Body:

Yahoo! Team is proud to present our new surprise  for clients of Yahoo! and Yahoo! Mail.  Yahoo! Toolbar is an innovative technology, which  helps you to access Yahoo! Services easier than ever.  It is free and is a gift for the 5th anniversary of Yahoo!.  We hope that you would like it.  The whole Yahoo! Team want to express our gratitude to you,  the people who help us to improve Yahoo! so much, that it  became the most popular worldwide portal  Thank You!  We do our best to serve you.  -------------  Yahoo! Team.  www.Yahoo.com  

Attachment:

Yahoo!Toolbar.exe  

More message variants:

From:

support@microsoft.com  

Subject:

Virus Alert_  

Body:

McAfee Antivirus warns about a new virus, called W32.Roro@mm.  It is a high risk worm and it's using IRC and internet pages'  to infect computers. The virus deletes movies, music and  system files.  Due to the significant increase of infected users,  Microsoft Corporation, with the collaboration of  McAfee Antivirus, supports clients of Microsoft Windows  with a patch, which fixes a bug in Internet Explorer 5.5  or minor versions. This bug allows internet pages  to grant access to local resources of visitors.  -----------------  McAfee Antivirus  www.McAfee.com  

Attachment:

IE_0276_Setup.exe  

Another message variant:

From:

support@winamp.com  

Subject:

WinAmp Team_  

Body:

Hello, WinAmp User. WinAmp Team is proud to present our new  surprise for users of WinAmp. WinAmp 3.0 Final has been just  released and we believe that it will be the player you've ever  dreamed about.  We plan to start a new tradition, sending the best skin or  add-on to our users every week. This new service is free and  we hope that you would like it.  Everyone can offer us suggestions.  We do our best to serve you.  ----------------  WinAmp Team.  www.WinAmp.com  

Attachment:

Iguana1.0_skin.exe  

More message variants:

From:

greetings@reply.yahoo.com  

Subject:

 sent you a Yahoo! Greeting__  

Body:

Surprise! You've just received a Yahoo! Greeting  from "" ()!  This is an interactive greeting card  and requires Flash Media Player.  Enjoy!  The Yahoo! Greetings Team.  -----------------  Yahoo! Greetings is a free service. If you'd like to send someone a  Yahoo! Greeting, you can do so at http://greetings.yahoo.com'  

Attachment:

Yahoo!Tomcats.exe  

or:

Yahoo!Autumn.exe  

More message variants:

From:

support@games.yahoo.com  

Subject:

Yahoo! Games_  

Body:

Yahoo! Team is proud to present our new surprise  for clients of Yahoo! and Yahoo! Mail.  We plan to send you the best Yahoo! Games weekly.  This new service is free and it's a gift for the 5th  anniversary of Yahoo!. We hope that you would like it.  The whole Yahoo! Team want to express our gratitude to  you, the people who help us to improve Yahoo! so much,  that it became the most popular worldwide portal.  Thank You!  We do our best to serve you.  -------------  Yahoo! Team.  www.Yahoo.com  

Attachment:

Yahoo!Chess.exe  

Another message variant:

From:

alert@computel.bg  

Subject:

Vajno_  

Body:

Panda Antivirus preduprejdava za nalichieto na nov virus  v internet, narechen W32.Roro@mm. Razprostranqva se predimno  po IRC i chrez zarazeni internet stranici. Sled zarazqvaneto  toi iztriva mp3-ki, filmi i dokumenti.  Poradi golemiq broi zarazeni bulgari prez poslednite  nqkolko dena, Panda Antivirus zapochna razprostranenieto na  patch, koito opravq bug v Internet Explorer 5.5 i minali  versii, pozvolqvasht na stranici sas zlovredno sudurjanie  da izpulnqvat komandi vurhu posetitelite.  Druga nasha preporuka e ako ste veche zarazeni da ne  opitvate da mahate virusa ruchno, a samo s antivirusna  programa, poneje pri neuspeshen opit za premahvane  W32.Roro iztriva razlichni vidove failove na operacionnata  sistema.  ------------------  Panda Antivirus, Bulgaria.  www.Computel.bg  

Attachment:

IE50_032.exe  

And one more variant:

From:

bg@microsoft.com  

Subject:

Microsoft Bulgaria_  

Body:

Blagodarenie na dulgogodishnite tradicii na Microsoft v Bulgaria  i dobrata i suvestna rabota na vsichki neini podchineni, mojem  nai-nakraq da pozdravim bulgarskiq potrebitel s prevod na  Internet Explorer na bulgarski.  Tova e edno uspeshno produljenie na iniciativata za prevejdane na  Ms Office 2000 ® na rodniq ni ezik. Update-a e bezplaten i e  podaruk po sluchai 10 godishninata na Microsoft v Bulgaria.  Nadqvame se bulgarskite potrebiteli da ostanat dovolni, koeto shte  bude nai-golemiq podaruk za nas.  ---------------------  Microsoft, Bulgaria.  

Attachment:

IE_0274_bg.exe  

The second type of message is a semi-randomly generated message. The worm randomly chooses subject, body and attachment name for the message.

Subject can be one of the following:

Zdrasti  Zdr Otnovo  Ohoo  Ei dupe  Pisamce  TinKi WinKy  ZzZz  Bla Bla  Hey  Privet  Boom  HeY  ZzZz  Bla Bla  HoWie  Happy  Hi Again  Wow  Hi  Hello  Hey Ya  Boom  Hi There  

The subject can be followed by one of the following:

..  !!  :)  ;))  :pP  ~pPp  :>  !  ;)  

Message body is selected from the following variants:

Ekiput na Kefche.com ima radostta da pozdravi vsichki  fenove na Kefcheto s 1-ta godishnina ot puskaneto na site-a.  Nie se prevurnahme v nai-dobriq i poseshtavan bg site  za zabavleniq i igri. Ot samoto si nachalo Kefche.com ima  za cel da vi nosi samo i edinstveno smqh i zabava,  nadqvame se che sme postignali celite si :))  Po sluchai godishninata, ekiput ni poe iniciativata da  izprashta vsqka sedmica nai-dobrite flash-cheta i  igrichki na vsichki user-i poseshtavashti Kefche-to.  Nadqvame se da vi haresa i tova da bude samo nachaloto  na edno novo zabavlenie :))  -----------------  Kefche.com Team.  

or:

Zdravei :)) Da ne me zabravi ve4e :) Ko praish? Za teb neznam  ama v momenta se chustvam mnoo qko i reshih da ti pisha :) Kolko  ti e rekorda na minichkite? Toku shto na Expert razminirah za 2 minuti :))  Ei sq smqtam da si vzema nqkoi qk film i da gledam.  Hodil li si na  - Mnoo me kefi :)) Za drugo ne se  seshtam tai che chao za sega :)) I da pishesh :pP  

or:

Hey :) Kak si? Otdavna ne sme se chuvali :)) Kak q karash, neshto  novo ima li? Nqma da povqrvash kakvo mi se sluchi neska :)  Vidqh Slavi Trifonov i nqkvi mnoo qki madami s nego :))) Ko shi kajesh a?  Misleh da mu iskam avtograf ama me dosramq :(( Karai, drug pat ~pP.  Skoro shti pratq onva deto obeshtah, za sq mojesh da hvarlish edno  oko na  :) Ako imash nqkvi predlojeniq  pishi mi :)) Aide doskoro i umnata ~pP  

or:

Hey :)) Kak q karash? Pomnish li me oshte :))  Nadqvam se che da. Baq vreme ne sme sa chuvali..  Neshto novo ima li? Namerih edna mnoo qka programka  i neznam zashto, no mi napomni za teb :))  Kakvo pravi blondinka kato rodi bliznaci? - Chudi se koi e vtoriq tatko :)  Kakva e razlikata mejdu 10 ovce i 3 blondinki? Otgovor: 7  Kak mojesh da razsmeesh blondinka v petak? - Kato i razkajesh vic vav vtornik :)  Kefqt li ta vicovete? Shegichka de :) Razkazva vicove na 5 minuti :))  Posmqh se za baq vreme napred :pPpP Haide bye za sega, i da pishesh :))  

or:

Zdrasti, ko staa :))) Baq vreme ne sme se chuvali. Beshe mi  skuchno i si vikam shto da ne napisha nqkoi drugo pismo :))  Sq i tva daskalo i napravo ujas, ne sa jivee :) Ti ostai drugoto  ami i e studeno.. ~PpPp. Dano idva vakanciqta po skoro :)) Pishi  neshto interesno, kak q karash, neshto novo ima li :) Pratih ti  onva deto obeshtah, qko a :)) Aide i chakam..  

or:

Hey :) Wasupp ~Pp I wanted to write you a letter, but i didn't  know what to talk about actually :) Have you ever done an IQ test?  I've just scored 120 points :) I'm not sure if this good or bad is,  but who cares :) Have you visited  :) Finally,  how are you:) I'll be very happy if you send me 1,2 funny cards :)) bye! :)  

or:

Hi again :)) Where are you? Don't you chat any more? I haven't  seen you so long :)) Well, I've got a lot to tell you about. The  Summer vacation was too good to be true. Beach, disco's, friends..  Unfortunately, it's Winter now and the temperatures here are very  low. I was ill almost 2 weeks. Quite unpleasant :(( Have you  visited , a little bit strange, but nice :))  Finally, how are you? Write to me :)) Byeee :pP  

or:

Hi again :)) Where are you? Don't you chat any more? I haven't  seen you so long.. Well, I've got a lot to tell you about. The  Summer vacation was too good to be true. Beach, disco's, friends..  Unfortunately, it's Winter now and the temperatures here are very  low. I was ill almost 2 weeks. Quite unpleasant :(( Let's talk  about you :) Are you oK? Are you in love :)) I sent you a surprise :))  There are cool thoughts, especially about love. It's nice. I'm a  little bit bored of these stupid computers, but I'm waiting for  the reply :)) Bye!  

or:

Hey, whatz up :)) Where are you? Don't you chat any more?  I haven't seen you so long. Read this :))   - What do blondes wear behind their ears to attract men? Their ankles!!   - Why did god invent the female orgasm? So blondes know when to stop screwing!!   - What is a blond with hair black colored? Artificial intelligence!  Blondes forever!! :) Time off, i must go now, but i'll be very  happy if you write to me soon :) Bye bye :))  

or:

Hello :)) How are you? Do you remember me? I hope so :)) I've just  watched Tomcats, it's marvellous :pP. The summer vacation is over and  this is quite unpleasent :(( I have a lot to tell you about, later..  You can't guess what I've found.. A working Credit Card generator :)))  I purchased a bride from Russia yesterday :) LoL.. I gave a fake address  of course :))) Don't go too far and watch out :))  I'll be very happy  if you write to me soon :))) Bye..  

The above messages can be followed by one of the following lines:

P.S. Hvarli edno oko na  :))  P.S. Bqgai na  mnoo zdravo flash4e ima :pP  P.S. Be happy, don't worry ~pPp. Check this -  Cool :))  P.S. Have you visited  :) Co0l :))  

The website name is generated by the worm.

Attachments to the generated infected messages can be named:

Blondes.exe  [TNT]Gen.exe  

Also the worm can generate attachment file names from the lists by adding contents of list A to list B and adding EXE extension:

List A:

install_en_  ClubExtreme  WWF_The_ROCK  EminemDesktop  Inter013_  Story015_  Gipsy  sound_brake_  Elfbowl  Goggles  snowball_fight_  Chess  Angel3D_  BabyBlue  

List B:

3.3  (zip)  (sHow)  3D  (Eng)  _v1.1  

The worm can also use the following list:

List A:

BoxDave_  PcDudes  Pamela3D_  KamaSutra  LaFemmeNikita  Gipsy  Fishfood  install_en_  Story017_  Inter012_  Actu002_  Chess  Angel3D_  BabyBlue  RedEyez  Iguana  

List B:

(sHow)  3D  (Eng)  2.3  

The worm collects e-mail addresses from user's hard drive and stores them in one of its configuration files together with a flag that shows whether an infected e-mail was sent to that address or not.

Infected messages contain Iframe exploit that allows the worm's attachment to be automatically run when an infected message is being viewed using certain unpatched versions of e-mail browsers. This vulnerability is fixed and a patch for it is available on Microsoft site:

http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp

Affecting security and anti-virus software

The worm does not allow programs that have the following substrings in their file names to start:

virus  norton  ice  black  cillin  pc  afee  mc  labs  zone  guard  worm  firewall  esafe  lockdown  conseal  antivir  f-secure  f-prot  kaspers  avp  panda  

When the worm locates an active program that contains a substring from the below given list in its window title, it terminates that program's task and deletes all files in a directory where that program is located:

black  panda  shield  guard  scan  mcafee  nai_vs_stat  iomon  navap  avp  alarm  f-prot  secure  labs  antivir  
Stealing passwords

The worm has the ability to retrieve cached Windows passwords and to store them in a special file. This file can be then picked by a hacker.

Payload

Depending on the settings in configuration file the worm can delete files with the following extensions:

swf jpg mp3 mpg asf mov mpeg avi com bat sys ini exe dos  

or

swf jpg mp3 mpg asf mov mpeg avi  

or

swf jpg mp3 mpg asf mov mpeg avi bmp zip html htm wav ace rar doc txt pdf dos  

Also the worm can delete all files from a hard drive when its main configuration files are deleted from Windows System folder or its Registry keys are removed from the Registry more than 2-3 times.





Technical Details:Alexey Podrezov; F-Secure Copr.; January 24th, 2003


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More