W32/Ronoper.R@mm
Analysis
- Virus is 32bit with a compressed size of 39,936
bytes
- Virus contains spread mechanisms for IRC, some
peer-to-peer applications and email, and may launch
when ICQ is run on an infected system
- Virus may write itself to the Windows folder as
“systools.exe” and then modify the registry
to load at Windows startup –
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"System Toolkit" = C:\WINDOWS\SYSTOOLS.EXE -
Virus may alter the registry to launch whenever ICQ is initiated –
HKEY_LOCAL_MACHINE\Software\Mirabilis\ICQ\Agent\
Apps\IcqWinCfg\
"Enable" = Yes
"Parameters" =
"Path" = C:\WINDOWS\SYSTOOLS.EXE
"Startup" -
Virus may write itself to the WINDOWS\TEMP\Binary32 folder as “Melda.scr”, “Melda.zip” or “Melda.rar” – the virus identifies if WinZip or Winrar are installed on the system and may create archive files containing the virus
-
Virus may alter installations of mIRC in an effort to use “dcc” to send copies of the virus as “Melda.scr” to other IRC users
-
Virus may parse the registry and search for the share locations for peer-to-peer applications Kazaa, Imesh, Limewire, Morpheus, eDonkey and Shareaza and write files to the local system –
Norton Antivirus 2003 Professional Edition.exe
Norton Internet Security 2003 Professional.exe
Windows XP Key Generator.exe
Windows XP Keygen.exe
Icq Hack.exe
Hotmail Hack.exe
Spy Cam - Girl Masterbating.scr
PornStar in Hardcore Action.scr
WarCraft 3 Battle.net Key Generator.exe
WarCraft 3 MapHack.exe
StarCraft Battle.net Keygen.exe
StarCraft Maphack.exe
HardCore Action In The School.scr
HardCore - College Webcam.scr
Penis Enlargement Secrets.scr
-
Virus may attempt to locate shares across the network by using the import “WnetEnumResourceA” and “WnetOpenEnumA” – if targets are found, virus could attempt to copy itself to such systems
-
Virus contains code which suggests it may attempt to disable the following applications if they are found running as a process in memory –
ZONEALARM.EXE
WFINDV32.EXE
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2-NT.EXE
TDS2-98.EXE
TCA.EXE
TBSCAN.EXE
SWEEP95.EXE
SPHINX.EXE
SMC.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
RESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE
PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
PADMIN.EXE
OUTPOST.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NMAIN.EXE
NISUM.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
LUALL.EXE
LOOKOUT.EXE
LOCKDOWN2000.EXE
JEDI.EXE
IOMON98.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSERV.EXE
IAMAPP.EXE
FRW.EXE
FPROT.EXE
FP-WIN.EXE
FINDVIRU.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
ESPWATCH.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
CLEANER3.EXE
CLEANER.EXE
CLAW95CF.EXE
CLAW95.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
ESAFE.EXE
CFIADMIN.EXE
BLACKICE.EXE
BLACKD.EXE
AVWUPD32.EXE
AVWIN95.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVKSERV.EXE
AVGCTRL.EXE
AVE32.EXE
AVCONSOL.EXE
AUTODOWN.EXE
APVXDWIN.EXE
ANTI-TROJAN.EXE
ACKWIN32.EXE
_AVPM.EXE
_AVPCC.EXE
-
Virus may delete the following keys if they are located in the registry – this is an effort to disable loading these applications at Windows startup –
AVPCC
AVPCC Service
BlackIce Utility
F-StopW
McAfee Firewall
McAfee Winguage
McAfee.InstantUpdate.Monitor
McAfeeVirusScanService
McAfeeWebscanX
McAgentExe
McUpdateExe
NAV Agent
NAV Configuration Wizard
NAV DefAlert
NB Common Dialog Enhancements
NB Start Menu
NB Windows Patterns
Norton Auto-Protect
Norton eMail Protect
Norton Navigator Loader
Norton Program Scheduler
Norton Program Scheduler Event Checker
NPS Event Checker
Panda Scheduler
PP2000 Instaupdate
PP2000 Real Time Scan
PP2000 Taskbar Control
SymTray - Norton SystemWorks
Tiny Personal Firewall
TrendMicro Antivirus
TrueVector
WinProxy
ZoneAlarm
ZoneAlarm Pro
-
Virus may reply to unread messages in the inbox for the MAPI application Outlook and send an infectious email attachment with a .SCR extension – the email message may be constructed in a method which may be difficult for mail parsers to detect the email has an attachment
Recommended Action
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |