Virus

W32/Oror.I

Analysis

  • Virus is 32bit and was coded using Visual C++, and is a minor variant of W32/Roron.D@mm
  • Virus has a UPX compressed size of 70,656 bytes
  • When virus is executed, the virus writes several files to the local machine - the virus locates a random folder within the "Program Files" folder, and creates a file within that folder by the same folder name, with an appended two digit number - the number is either 32 or 16, and in these formats -

    Windows\sys[undefinedCundefinedCundefinedCundefinedCundefinedC]_.def
    Windows\[undefinedCundefinedCundefinedCundefinedCundefinedC][##].exe
    Windows\run[undefinedCundefinedCundefinedCundefinedCundefinedC][##].exe
    Windows\System\[undefinedXundefinedXundefinedXundefinedXundefinedX][##].exe
    Windows\System\[undefinedRundefinedRundefinedRundefinedRundefinedR][##].exe
    Program Files\[undefinedFundefinedFundefinedFundefinedF]\[undefinedFundefinedFundefinedFundefinedF][##].exe

    "undefinedCundefinedCundefinedCundefinedCundefinedC" is the 1st 5 characters of the computer name reversed
    "undefinedXundefinedXundefinedXundefinedXundefinedX" is an existing file name in the same folder, chosen randomly
    "undefinedRundefinedRundefinedRundefinedRundefinedR " is a random file name
    "undefinedFundefinedFundefinedFundefinedF" is the name of an existing folder, chosen randomly
    "##" is a two digit number of either 16 or 32, chosen randomly

  • The virus seeks the Windows folder and then modifies the WIN.INI file to load the virus at next Windows startup -

    [windows]
    run=C:\Windows\System\[undefinedRundefinedRundefinedRundefinedRundefinedR][##].exe

    "undefinedRundefinedRundefinedRundefinedRundefinedR " is a random file name, and "##" is a two digit number of either 16 or 32, chosen randomly

  • The virus attempts to shut down some firewall or security software - the virus seeks any visible or non-visible window which may have the following strings -

    black, panda, shield, guard, scan, mcafee, nai_vs_stat, iomon, navap,
    avp, alarm, f-prot, secure, labs, antivir

  • The virus then searches within the "Program Files" folder and searches for folders which may have names matching one of the following partial strings, and if found, deletes files within that folder, where "*" is a wildcard character -

    norton*virus, black*ice, pc*cillin, mc*afee, zone*labs, worm*guard, f-secure*antivir, f-prot, avp*kaspers, panda

  • Virus modifies the registry by creating two keys to load itself when Windows starts -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\

    LoadSystemProfile=
    run[undefinedCundefinedCundefinedCundefinedCundefinedC][##].exe powprof.dll,LoadCurrentUserProfile

    undefinedPundefinedPundefinedPundefinedPundefinedP=undefinedPundefinedPundefinedPundefinedPundefinedP\[undefinedPundefinedPundefinedPundefinedPundefinedP][##].exe

    "undefinedCundefinedCundefinedCundefinedCundefinedC" is the 1st 5 characters of the computer name reversed
    "##" is either 16 or 32
    "undefinedPundefinedPundefinedPundefinedPundefinedP" is the virus written to the Windows folder

  • Virus Attempts to copy itself across network drives, and write a file "Autorun.inf" with instructions to execute the file written.
  • The virus modifies the MIRC.INI file to make the client as a bot, awaiting instructions from the controller or hacker. The following are commands which result in actions against the client -

    IP! - returns the IP address of the infected host
    NICK - returns infected mIRC user information, initiates email routine
    OpenServerConsole - opens a socket request
    CHAN - runs a clone process, opens TCP port 6667
    1 - sets infected host access password to "Temp-Pass"
    2 - sets infected host access password to "OS-Pass"
    3 - sets infected host access password to "OPER-Pass"
    RESTART - runs a shell instruction to restart Windows with this instruction "rundll.exe user.exe,exitwindowsexec"
    SHUTDOWN - runs a shell instruction to shutdown Windows with this instruction "rundll.exe user.exe,exitwindows"
    FUCKOFF - delete file Windows\Winfile.dll
    HELLO - initiates mass-mailing routine
    MASS - initiates mass-mailing routine
    DIR - captures a directory listing of current folder
    RENAME - renames a file of choice
    EXEC - execute a file of choice
    STATUS - sends current status information to a joined channel
    INFO - sends infected mIRC client info to a joined channel

  • The infected mIRC environment may attempt to connect to a Bulgarian website where the virus is hosted on a user page, and download a file named "Faith.exe", saving it as a random five letter file name, then execute it
  • The virus captures cached network passwords and attempts to email them to these email addresses -
  • Rahmul@europe.com
    Rahmul@abv.bg
    Rahmul@combg.com
    Rahmul@priatel.com
    Rahmul@mailbg.com
    Rahmul@mail.bg

  • Virus may monitor the Outlook Express application for email addresses in order to create a list of targets and send itself to them - the email message will be constructed using an IFrame exploit similar to that of other viruses in an effort to enable the attachment to run automatically.
  • The emails are either composed based on tables of elements with forged "From" email addresses, or they are static, where the content varies between English or Bulgarian text.
  • If the virus creates a variable email, it would follow the following criteria and formats -

    From prefixes:
    dreamy@, candy_f@, bryan16@, jerry@, baby_17@, neo@, trish1@, linda17@, monica@, nicole@, angel_f@, blue16@, tweety@, alice@, jane17@, badboy@, rap_girl@, CrazyGirl@, steve@, happy@, amanda@, crazy@

    From domains:
    hotmail.com, yahoo.com, mail.com, gmx.com, yahoo.co.uk, usa.net, crazy.net

    Subject (English table):
    HeY, ZzZz, Bla Bla, HoWie, Happy, Hi Again, Wow, Hi, Hello,
    Hey Ya, Boom, Hi There

    Subject (Bulgarian table):
    Zdrasti, Zdr Otnovo, Ohoo, Ei dupe, Pisamce, TinKi WinKy,
    ZzZz, Bla Bla, Hey, Privet, Boom

  • The subject text may be concatenated with one of the following emoticons or punctuations -

    !!, :), ;)), :pPpP, ~pPp, :>,!, ;)

  • The body text may be have varied subject content and also contain one of four post scripts either in English or Bulgarian, picked by random -

    Body:
    [various content]

    P.S. Have you visited ######## :) Co0l :))
    P.S. Be happy, don't worry ~pPp. Check this - ######## Cool :))
    P.S. Bqgai na ######## mnoo zdravo flash4e ima :pP
    P.S. Hvarli edno oko na ######## :))

    * Where "########" is a URL

  • File attachments are created and named using one of four tables, in two parts

    Attachment: [part 1 + part 2].exe

    Table #1 - part 1 elements
    KaZaA Media Desktop v2.0.8_, Serials 2K 7.2 (by SNTeam)_, Serials2002_8.0(17.08.02)_, Dreamweaver_5.0_Patch_, ACDSee, WinAmp_3.2_Cool_, Download Accelerator 5.5_, Nero Burning Rom 5.6.0.3_, cRedit_CarDs_gEn, MeGa HACK , Zip Password Recovery , GTA 3 Bonus Cars(part1)_, EminemDesktop, DMX tHeMe , NFS 5 Bonus Cars_, Counter Strike 1.5 (Editor)_, Madonna Desktop , WinZip 8.2_, DivX 5.4 Bundle_

    Table #1 - part 2 elements
    7.1 FULL, v5.5, (zip), 3.0, (Eng), (Cracked)

    Table #2 - part 1 elements
    PcDudes, BritneyUltimate, Pamela 3D_, Britney Suxx , KamaSutra, LaFemmeNikita, Teen Sex Cam , Lolita, Pam Anderson Theme , Sexy Teens Desktop , SexSpy, Anal Explorer , VirtualRape, Hot Blondies, Strip Kournikova

    Table #2 - part 2 elements
    (sHow), 3D, 3.0, (Eng), v4.5, (Rated)

    Table #3 - part 1 elements
    install_en_, ClubExtreme, WWF_The_ROCK, EminemDesktop, Inter013_, Story015_, Gipsy, sound_brake_, Elfbowl, Goggles, snowball_fight_, Chess, Angel3D_, BabyBlue

    Table #3 - part 2 elements
    3.3, (zip), (sHow), 3D, _zip, (Eng), _v1.1

    Table #4 - part 1 elements
    BoxDave_, PcDudes, Pamela3D_, KamaSutra, LaFemmeNikita, Gipsy, Fishfood, install_en_, Story017_, Inter012_, Actu002_, Chess, Angel3D_, BabyBlue, RedEyez, Iguana

    Table #4 - part 2 elements
    (sHow), 3D, (Eng), 2.3
    " Static emails are chosen from various sets of hard-coded data, as in the following examples -

  • Example 1

    From: support@yahoo.com
    Subject: Yahoo! Toolbar_
    Body:
    Yahoo! Team is proud to present our new surprise for clients of Yahoo! and Yahoo! Mail. Yahoo! Toolbar is an innovative technology, which helps you to access Yahoo! Services easier than ever. It is free and is a gift for the 5th anniversary of Yahoo!
    We hope that you would like it. The whole Yahoo! Team want to express our gratitude to you, the people who help us to improve Yahoo! so much, that it became the most popular worldwide portal.
    Thank You!
    We do our best to serve you.
    -------------
    Yahoo! Team
    www.Yahoo.com
    Attachment: Yahoo!Toolbar.exe

  • Example 2

    From: support@microsoft.com
    Subject: Virus Alert_
    Body:
    McAfee Antivirus warns about a new virus, called W32.Roro@mm
    It is a high risk worm and it's using IRC and internet pages
    to infect computers. The virus deletes movies, music and
    system files.
    Due to the significant increase of infected users,
    Microsoft Corporation, with the collaboration of
    McAfee Antivirus, supports clients of Microsoft Windows
    with a patch, which fixes a bug in Internet Explorer 5.5
    or minor versions. This bug allows internet pages
    to grant access to local resources of visitors.
    -----------------
    McAfee Antivirus
    www.McAfee.com
    Attachment: IE_0276_Setup.exe

  • Example 3

    From: alert@computel.bg
    Subject: Vajno_
    Body:
    Panda Antivirus preduprejdava za nalichieto na nov virus
    v internet, narechen W32.Roro@mm. Razprostranqva se predimno
    po IRC i chrez zarazeni internet stranici. Sled zarazqvaneto
    toi iztriva mp3-ki, filmi i dokumenti.
    Poradi golemiq broi zarazeni bulgari prez poslednite
    nqkolko dena, Panda Antivirus zapochna razprostranenieto na
    patch, koito opravq bug v Internet Explorer 5.5 i minali
    versii, pozvolqvasht na stranici sas zlovredno sudurjanie
    da izpulnqvat komandi vurhu posetitelite.
    Druga nasha preporuka e ako ste veche zarazeni da ne
    opitvate da mahate virusa ruchno, a samo s antivirusna
    programa, poneje pri neuspeshen opit za premahvane W32.Roro
    iztriva razlichni vidove failove na operacionnata sistema.
    ------------------
    Panda Antivirus, Bulgaria
    www.Computel.bg
    Attachment: IE50_032_Setup.exe

  • Virus contains this string within its code -

    RoRo v3.9