Roron virus or Oror.b

[prodikal]

Yet another head's

http://zdnet.com.com/2100-1105-964809.html

A Russian antivirus company on Wednesday warned that a new virus could help hackers gain control of home computers, but other security companies downplayed the threat.

Kaspersky Labs has named the virus, or worm, Roron, and it is known as Oror.B by several other companies. The new computer virus can spread through e-mail messages, shared hard drives and the Kazaa file-sharing network, Kaspersky Labs spokesman Denis Zemkin said.

"We see that this worm is particularly dangerous for home users," Zemkin said. "Corporate customers are already aware of the danger of attachments," and are unlikely to open the file containing the program.


Click Here.

Kaspersky Labs sent out an advisory on Roron that rated the virus a "high danger" because of the various ways the program can spread. The company also cited the worm's goal of enabling online vandals to use a victim's PC as a platform from which to launch attacks. Each copy of the virus contains several hacker tools that let an infected computer be controlled by way of messages from Internet relay chat (IRC). With the IRC messages, online vandals could launch a denial-of-service attack, which unleashes a deluge of data at a computer or router, flooding the device's bandwidth and cutting it off from the Internet.

Security company Symantec, however, said it will most likely rate Roron as only a two on its threat scale of five, said Sharon Ruckman, senior director of Symantec's security response group.

"We haven't had any reports in the U.S. of this virus yet," Ruckman said, adding that the company's clients in Europe had seen very few copies. "We'll watch it."

Kaspersky Labs' clients are mainly European, with a strong concentration in the nations that once made up the Soviet Union.

E-mail service provider MessageLabs said Roron didn't appear on its Top 10 list of malicious attachments, a list the U.K.-based company culls from the messages it filters on behalf of clients. The lowest scoring virus on that list, Yaya.c, only represented 77 attachments in the last 24 hours.

The Roron virus is the latest of five variants of an e-mail worm that appeared in August and is known by most companies as Oror. Kaspersky Labs believes Roron was created in Bulgaria, because several words found in the worm's code are written in that language.

Once Roron infects a system, it spreads by creating e-mail messages with different subject lines and different names for the attached file that carries the worm. Once opened, Roron copies itself to several folders, including those used to share music files in the Kazaa network, as well as to any shared hard drives on a network. In that way, the virus resembles another worm that began spreading through the Kazaa network in May.

Finally, Roron installs a backdoor program onto the PC that lets remote attackers run attack tools.

Kaspersky Labs believes that if the virus becomes popular it will quickly burn itself out, said Zemkin.

"I don't think it will be long infection, like the Klez (virus)," Zemkin said.

E-mail this story!

an analysis of this worm from sophos
http://www.sophos.com/virusinfo/analyses/w32ororb.htm

W32/Oror-B
Type
Win32 worm
Detection
A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the December 2002 (3.64) release of Sophos Anti-Virus.

At the time of writing Sophos has received just one report of this worm from the wild.

Note: Sophos Anti-Virus has been detecting W32/Oror-B since 17:40 GMT on 1 November, but has issued this new IDE to include detection of mIRC/Oror-B
Description

W32/Oror-B is a worm that can spread in an number of ways, including sending itself out by email, copying itself to shared drives in networks, and placing copies of itself in folders likely to be shared via the KaZaA peer-to-peer system.

(A number of variants of this worm are known. You can read about these by looking at W32/Oror-A and W32/Oror-Fam.)

When W32/Oror-B first runs on your computer, it pops up a fake error dialog with the title "WinZip Self-Extractor License Confirmation" and the text "Your version of WinZip Self-Extractor is not licensed, or the license information is missing or corrupted. Please contact the program vendor or the web site (www.WinZip.com)for additional information"

Under cover of this fake dialog, W32/Oror-B infects your computer. The worm writes a varying number of copies of itself. These copies may be found in a number of different places, including:

* the Windows folder (e.g. C:\WINDOWS)

* the System folder (e.g. C:\WINDOWS\SYSTEM)

* subfolders of the Program Files folder

* folders associated with KaZaA file sharing

The worm runs the copy in your System folder every time you boot up by adding a run= line to the [windows] section of your WIN.INI file.

The worm runs the copy in your Windows folder every time you logon to the network (or to Windows) by adding an entry in your registry like this:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
LoadSystemProfile = "wormname.exe powprof.dll, LoadCurrentUserProfile"

W32/Oror-B uses a random value for wormname above. This random name includes the start of your computer name written backwards, and ends in 16.exe, 32.exe or 98.exe.

W32/Oror-B sometimes adds additional values to the registry to run one or more of the files it has placed in your Program Files folders. These values are added to:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

W32/Oror-B sets the following value in your registry so that whenever you launch an EXE file, the worm runs first before launching the program you actually chose:

HKCR\exefile\shell\open\command wormname.exe "%1" %*

The worm uses misleading filenames when copying itself to shared folders, including:

Counter Strike 1.5 (Editor).exe
Div X 5.4 Bundle.exe
Download Accelerator 5.5.exe
Dreamweaver_5.0_Patch.exe
GTA 3 Bonus Cars(part1).exe
KaZaA Media Desktop v2.0.8.exe
Nero Burning Rom 5.6.0.3.exe
NFS 5 Bonus Cars.exe
Serials 2K 7.2 (by SNTeam).exe
Serials2002_8.0(17.08.02).exe
WinAmp_3.2_Cool.exe
WinZip 8.2.exe

and filenames built from strings such as:

ACDSee
cRedit_CarDs_gEn
DMX tHeMe
EminemDesktop
Madonna Desktop
MeGa HACK
Zip Password Recovery

During this process the worm creates autorun.inf files referencing the dropped EXE files.

W32/Oror-B spreads via email. The worm selects the content of its emails randomly from an internal list. The subject line of the email can contain strings such as:

Blondes Forever
Blondinkii
Microsoft Bulgaria
sent you a Yahoo! Greeting
Vajno
Virus Alert
WinAmp Team
Yahoo! Games
Yahoo! Toolbar

The message text varies with the subject line chosen. W32/Oror-B attaches itself as one of the following files:

[TNT]Gen.exe
Blondes.exe
Blondies.exe
IE_0274_bg.exe
IE_0276_Setup.exe
IE50_032_Setup.exe
Iguana1.0_skin.exe
Yahoo!Autumn.exe
Yahoo!Chess.exe
Yahoo!Tomcats.exe
Yahoo!Toolbar.exe

W32/Oror-B may send its attachments so that they attempt to exploit vulnerabilities in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer. These vulnerabilities allow an executable attachments to run automatically, even if you do not double-click on the attachment. Microsoft has issued patches which secure against these attacks. Be sure to download these patches from Microsoft if you have not done so already.

If you have mIRC installed, W32/Oror-B drops an IRC backdoor Trojan script into your mIRC folder. This backdoor Trojan is detected by Sophos Anti-Virus as mIRC/Oror-B.

so update and heads up

[imported_wnbc]

The Roron virus created by Bulgarian is the most intelligent one that i have seen. Now i am trying to remove it from a little network ( 5 PC-s) .... i wish to find who made it and kick his ass )

[hackerdan]

Dude some of these virrii are crazy i write virrii (it dosent leave my computer and it never hurts anyone i just make them to expand my knowledge) and ive read little black blook of email viruses by Mark Ludwig and i still cant make viruses as powerful as those

[imported_wnbc]

The I-Worm/Roron as i said is very intelligent. If some of his files are deleted, or his random generator generates a precise string he deletes files.... but in fact he is crashing the FAT, and with the help of software like EasyRecovery you can recover your FAT. From time to time Roron closes applications. As an example i was trying to open http://www.f-prot.com/ to read more about him, he closed my Internet Explorer 5 or 6 times and that's very annoying! I cleaned him with AVG 6.0 Free edition ( http://www.grisoft.com/ ) first, then deleted "winfile.dll" from windows folder, and then i cleared the registry and WIN.INI file .... that info is given at allmost all Antivirus Programs homepages.
p.s: DO NOT DELETE winfile.dll first .... if you do that yo're lost! Firstly you have to remove all copies of the I-Worm ( they are listed in allmost all antivirus programs homepages ) then the registry and the winfile.dll. I hope that will work. I'm glad that my computers are clean now

Best wishes from Bulgaria!