W32/Oror.F
Analysis
- Virus is 32bit and was coded using Visual C++, and
is a variant of W32/Roron.B@mm
- Virus has a UPX compressed size of 72,192 bytes
- When virus is first executed, it attempts to delete
all files in all directories - files which are running
already in memory will not be removed - because of
the file deletion payload, the virus is unable to
send itself by email because the email application
no longer exists
- The virus attempts to shut down some firewall or
security software - the virus seeks any visible or
non-visible window which may have the following strings
-
black
panda
shield
guard
scan
mcafee
nai_vs_stat
iomon
navap
avp
alarm
f-prot
secure
labs
antivir - Virus Attempts to copy itself across network drives,
and write a file "Autorun.inf" with instructions
to execute the file written.