Virus

W32/Ronoper.R@mm

Analysis

  • Virus is 32bit with a compressed size of 39,936 bytes
  • Virus contains spread mechanisms for IRC, some peer-to-peer applications and email, and may launch when ICQ is run on an infected system
  • Virus may write itself to the Windows folder as “systools.exe” and then modify the registry to load at Windows startup –

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    "System Toolkit" = C:\WINDOWS\SYSTOOLS.EXE

  • Virus may alter the registry to launch whenever ICQ is initiated –

    HKEY_LOCAL_MACHINE\Software\Mirabilis\ICQ\Agent\
    Apps\IcqWinCfg\
    "Enable" = Yes
    "Parameters" =
    "Path" = C:\WINDOWS\SYSTOOLS.EXE
    "Startup"

  • Virus may write itself to the WINDOWS\TEMP\Binary32 folder as “Melda.scr”, “Melda.zip” or “Melda.rar” – the virus identifies if WinZip or Winrar are installed on the system and may create archive files containing the virus

  • Virus may alter installations of mIRC in an effort to use “dcc” to send copies of the virus as “Melda.scr” to other IRC users

  • Virus may parse the registry and search for the share locations for peer-to-peer applications Kazaa, Imesh, Limewire, Morpheus, eDonkey and Shareaza and write files to the local system –

    Norton Antivirus 2003 Professional Edition.exe
    Norton Internet Security 2003 Professional.exe
    Windows XP Key Generator.exe
    Windows XP Keygen.exe
    Icq Hack.exe
    Hotmail Hack.exe
    Spy Cam - Girl Masterbating.scr
    PornStar in Hardcore Action.scr
    WarCraft 3 Battle.net Key Generator.exe
    WarCraft 3 MapHack.exe
    StarCraft Battle.net Keygen.exe
    StarCraft Maphack.exe
    HardCore Action In The School.scr
    HardCore - College Webcam.scr
    Penis Enlargement Secrets.scr

  • Virus may attempt to locate shares across the network by using the import “WnetEnumResourceA” and “WnetOpenEnumA” – if targets are found, virus could attempt to copy itself to such systems

  • Virus contains code which suggests it may attempt to disable the following applications if they are found running as a process in memory –

    ZONEALARM.EXE
    WFINDV32.EXE
    WEBSCANX.EXE
    VSSTAT.EXE
    VSHWIN32.EXE
    VSECOMR.EXE
    VSCAN40.EXE
    VETTRAY.EXE
    VET95.EXE
    TDS2-NT.EXE
    TDS2-98.EXE
    TCA.EXE
    TBSCAN.EXE
    SWEEP95.EXE
    SPHINX.EXE
    SMC.EXE
    SERV95.EXE
    SCRSCAN.EXE
    SCANPM.EXE
    SCAN95.EXE
    SCAN32.EXE
    SAFEWEB.EXE
    RESCUE.EXE
    RAV7WIN.EXE
    RAV7.EXE
    PERSFW.EXE
    PCFWALLICON.EXE
    PCCWIN98.EXE
    PAVW.EXE
    PAVSCHED.EXE
    PAVCL.EXE
    PADMIN.EXE
    OUTPOST.EXE
    NVC95.EXE
    NUPGRADE.EXE
    NORMIST.EXE
    NMAIN.EXE
    NISUM.EXE
    NAVWNT.EXE
    NAVW32.EXE
    NAVNT.EXE
    NAVLU32.EXE
    NAVAPW32.EXE
    N32SCANW.EXE
    MPFTRAY.EXE
    MOOLIVE.EXE
    LUALL.EXE
    LOOKOUT.EXE
    LOCKDOWN2000.EXE
    JEDI.EXE
    IOMON98.EXE
    IFACE.EXE
    ICSUPPNT.EXE
    ICSUPP95.EXE
    ICMON.EXE
    ICLOADNT.EXE
    ICLOAD95.EXE
    IBMAVSP.EXE
    IBMASN.EXE
    IAMSERV.EXE
    IAMAPP.EXE
    FRW.EXE
    FPROT.EXE
    FP-WIN.EXE
    FINDVIRU.EXE
    F-STOPW.EXE
    F-PROT95.EXE
    F-PROT.EXE
    F-AGNT95.EXE
    ESPWATCH.EXE
    ECENGINE.EXE
    DVP95_0.EXE
    DVP95.EXE
    CLEANER3.EXE
    CLEANER.EXE
    CLAW95CF.EXE
    CLAW95.EXE
    CFINET32.EXE
    CFINET.EXE
    CFIAUDIT.EXE
    ESAFE.EXE
    CFIADMIN.EXE
    BLACKICE.EXE
    BLACKD.EXE
    AVWUPD32.EXE
    AVWIN95.EXE
    AVSCHED32.EXE
    AVPUPD.EXE
    AVPTC32.EXE
    AVPM.EXE
    AVPDOS32.EXE
    AVPCC.EXE
    AVP32.EXE
    AVP.EXE
    AVNT.EXE
    AVKSERV.EXE
    AVGCTRL.EXE
    AVE32.EXE
    AVCONSOL.EXE
    AUTODOWN.EXE
    APVXDWIN.EXE
    ANTI-TROJAN.EXE
    ACKWIN32.EXE
    _AVPM.EXE
    _AVPCC.EXE

  • Virus may delete the following keys if they are located in the registry – this is an effort to disable loading these applications at Windows startup –

    AVPCC
    AVPCC Service
    BlackIce Utility
    F-StopW
    McAfee Firewall
    McAfee Winguage
    McAfee.InstantUpdate.Monitor
    McAfeeVirusScanService
    McAfeeWebscanX
    McAgentExe
    McUpdateExe
    NAV Agent
    NAV Configuration Wizard
    NAV DefAlert
    NB Common Dialog Enhancements
    NB Start Menu
    NB Windows Patterns
    Norton Auto-Protect
    Norton eMail Protect
    Norton Navigator Loader
    Norton Program Scheduler
    Norton Program Scheduler Event Checker
    NPS Event Checker
    Panda Scheduler
    PP2000 Instaupdate
    PP2000 Real Time Scan
    PP2000 Taskbar Control
    SymTray - Norton SystemWorks
    Tiny Personal Firewall
    TrendMicro Antivirus
    TrueVector
    WinProxy
    ZoneAlarm
    ZoneAlarm Pro

  • Virus may reply to unread messages in the inbox for the MAPI application Outlook and send an infectious email attachment with a .SCR extension – the email message may be constructed in a method which may be difficult for mail parsers to detect the email has an attachment

Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option