W32/Oror-B
Type
Win32 worm
Detection
A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the December 2002 (3.64) release of Sophos Anti-Virus.
At the time of writing Sophos has received just one report of this worm from the wild.
Note: Sophos Anti-Virus has been detecting W32/Oror-B since 17:40 GMT on 1 November, but has issued this new IDE to include detection of mIRC/Oror-B
Description
W32/Oror-B is a worm that can spread in an number of ways, including sending itself out by email, copying itself to shared drives in networks, and placing copies of itself in folders likely to be shared via the KaZaA peer-to-peer system.
(A number of variants of this worm are known. You can read about these by looking at W32/Oror-A and W32/Oror-Fam.)
When W32/Oror-B first runs on your computer, it pops up a fake error dialog with the title "WinZip Self-Extractor License Confirmation" and the text "Your version of WinZip Self-Extractor is not licensed, or the license information is missing or corrupted. Please contact the program vendor or the web site (
www.WinZip.com)for additional information"
Under cover of this fake dialog, W32/Oror-B infects your computer. The worm writes a varying number of copies of itself. These copies may be found in a number of different places, including:
* the Windows folder (e.g. C:\WINDOWS)
* the System folder (e.g. C:\WINDOWS\SYSTEM)
* subfolders of the Program Files folder
* folders associated with KaZaA file sharing
The worm runs the copy in your System folder every time you boot up by adding a run= line to the [windows] section of your WIN.INI file.
The worm runs the copy in your Windows folder every time you logon to the network (or to Windows) by adding an entry in your registry like this:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
LoadSystemProfile = "wormname.exe powprof.dll, LoadCurrentUserProfile"
W32/Oror-B uses a random value for wormname above. This random name includes the start of your computer name written backwards, and ends in 16.exe, 32.exe or 98.exe.
W32/Oror-B sometimes adds additional values to the registry to run one or more of the files it has placed in your Program Files folders. These values are added to:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
W32/Oror-B sets the following value in your registry so that whenever you launch an EXE file, the worm runs first before launching the program you actually chose:
HKCR\exefile\shell\open\command wormname.exe "%1" %*
The worm uses misleading filenames when copying itself to shared folders, including:
Counter Strike 1.5 (Editor).exe
Div X 5.4 Bundle.exe
Download Accelerator 5.5.exe
Dreamweaver_5.0_Patch.exe
GTA 3 Bonus Cars(part1).exe
KaZaA Media Desktop v2.0.8.exe
Nero Burning Rom 5.6.0.3.exe
NFS 5 Bonus Cars.exe
Serials 2K 7.2 (by SNTeam).exe
Serials2002_8.0(17.08.02).exe
WinAmp_3.2_Cool.exe
WinZip 8.2.exe
and filenames built from strings such as:
ACDSee
cRedit_CarDs_gEn
DMX tHeMe
EminemDesktop
Madonna Desktop
MeGa HACK
Zip Password Recovery
During this process the worm creates autorun.inf files referencing the dropped EXE files.
W32/Oror-B spreads via email. The worm selects the content of its emails randomly from an internal list. The subject line of the email can contain strings such as:
Blondes Forever
Blondinkii
Microsoft Bulgaria
sent you a Yahoo! Greeting
Vajno
Virus Alert
WinAmp Team
Yahoo! Games
Yahoo! Toolbar
The message text varies with the subject line chosen. W32/Oror-B attaches itself as one of the following files:
[TNT]Gen.exe
Blondes.exe
Blondies.exe
IE_0274_bg.exe
IE_0276_Setup.exe
IE50_032_Setup.exe
Iguana1.0_skin.exe
Yahoo!Autumn.exe
Yahoo!Chess.exe
Yahoo!Tomcats.exe
Yahoo!Toolbar.exe
W32/Oror-B may send its attachments so that they attempt to exploit vulnerabilities in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer. These vulnerabilities allow an executable attachments to run automatically, even if you do not double-click on the attachment. Microsoft has issued patches which secure against these attacks. Be sure to download these patches from Microsoft if you have not done so already.
If you have mIRC installed, W32/Oror-B drops an IRC backdoor Trojan script into your mIRC folder. This backdoor Trojan is detected by Sophos Anti-Virus as mIRC/Oror-B.