Virus

W32/Oror.F

Analysis

  • Virus is 32bit and was coded using Visual C++, and is a variant of W32/Roron.B@mm
  • Virus has a UPX compressed size of 72,192 bytes
  • When virus is first executed, it attempts to delete all files in all directories - files which are running already in memory will not be removed - because of the file deletion payload, the virus is unable to send itself by email because the email application no longer exists
  • The virus attempts to shut down some firewall or security software - the virus seeks any visible or non-visible window which may have the following strings -

    black
    panda
    shield
    guard
    scan
    mcafee
    nai_vs_stat
    iomon
    navap
    avp
    alarm
    f-prot
    secure
    labs
    antivir

  • Virus Attempts to copy itself across network drives, and write a file "Autorun.inf" with instructions to execute the file written.