hackfix-virusnews: W32/Oror-Fam / Network Worm "Roron"
- From: "Mike" <mikebike@xxxxxxxxx>
- To: hackfix-virusnews@xxxxxxxxxxxxx
- Date: Wed, 06 Nov 2002 20:56:40 -0800
Name: W32/Oror-Fam
Aliases: I-Worm.Roron, I-Worm.Roron.12, I-Worm.Roron.25,
I-Worm.Roron.31, I-Worm.Roron.35, I-Worm.Roron.37,
I-Worm.Roron.39
Infromation from; Sophos Alert System:
Type: Win32 worm
Date: 7 November 2002
A virus identity file (IDE) which provides protection is
available now from our website and will be incorporated into the
December 2002 (3.64) release of Sophos Anti-Virus.
Note: At the time of writing Sophos has received no reports from
users affected by these worms. However, we have issued this
advisory following enquiries to our support department from
customers.
More information about W32/Oror-Fam can be found at
http://www.sophos.com/virusinfo/analyses/w32ororfam.html
_____________________
More infrormation:
From; Kaspersky Lab News Agent
Network Worm "Roron" - Red Alert!
Kaspersky Labs, an international data security software developer,
reports the appearance of a new network worm named "Roron", constructed
in Bulgaria. Presently six variations of the worm have already been
detected and have been credited with infecting computers in many regions
including the U.S.A., Russia and a slew of European countries.
Destructive functions and features include a built-in back-door intended
for unsanctioned remote control of victim computers and the ability to
spread via many communication channels - all of which places this worm
in an especially high danger category.
"Roron" spreads using several data transfer channels: via email as an
attached file, via local area networks and the KaZaA file-sharing
network. Systems become infected only if a user manually launches
(opens) the file containing the worm that was received via one of the
aforementioned sources. When penetrating a computer, "Roron" creates a
copy of itself in the Windows system directory and Program Files and
then registers one of these files in the system registry's auto-run key.
In this way the worm ensures its activation the each time the system is
booted. Sometimes, when infecting, the worm displays a false warning:
WinZip Self-Extractor License Confirmation
Your version of WinZip Self-Extractor is not licensed, or the license
information is missing or corrupted. Please contact the program vendor
or the web site (www.WinZip.com) for additional information.
After the infection routine is complete, "Roron" activates its spreading
routines:
- To spread via e-mail it clandestinely creates a message that
may have different subjects, texts and attached file names. Then it
sends this message to the recipients whose adresses it found in the
InBox folder of the infected computer.
- To spread via local area networks the worm searches available network
resources, allocates those having file-sharing resources and copies itself
under a random name. This way "Roron" may spawn its copies to the public
file
servers that may lead other network users to download these files and infect
their own machines.
- To spread via the KaZaA network the worm searches for KaZaA file-sharing
folders where it inserts its copy, thus making it available for download by
other KaZaA users.
"Roron" carries a very impressive armory of extremely dangerous payload and
backdoor functions. In case the infected computer has a mIRC client
installed
(software used to access Internet Relay Chat (IRC) channels) the worm
infects
it with a backdoor component. This allows a mal-intended person to gain
unauthorized remote control over the infected computer: unnoticed a
malefactor can download, upload, execute files, send out e-mail messages
on behalf of the user, etc. The backdoor component also carries a
feature for performing DoS-attacks (Denial of Service) from the infected
computer launched against other computers specified by the hacker.
Therefore, if "Roron" causes a global outbreak infecting a high number
of systems such as Tanatos (BugBear) or Lentin (Yaha), it may enable
hackers to perform massive distributed DoS-attacks even more powerful
than the huge attack occurring two weeks ago when 13 Internet "backbone"
servers were attacked, ultimately bringing nine of them temporarily
down.
"Roron" also destroys data stored on hard drives. This payload is
activated when at least one of the following conditions is fulfilled:
- the current system date is the 9th or 19th (regardless of the current
month)
- one of the worm's core components is deleted (WINFILE.DLL)
- the worm's Windows system registry keys are deleted
- randomly, depending on the worm's internal counter
"Roron" also searches for some anti-virus software programs in the operating
memory and deactivates them. In addition the worm tries to delete this anti-
virus software from the hard drive.
The defense against "Roron" has already been added to the Kaspersky
Anti-Virus databases.
For more detailed information about this malicious program and
guidelines on how to disinfect your computer, please visit the Kaspersky
Virus Encyclopedia at: http://www.viruslist.com/eng/viruslist.html?id=57811
______________________________
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see ~ http://www.mwn.ca
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
See my Anti-Virus pages ~ http://virusinfo.hackfix.org
A Technical Support Alliance Member
http://groups.yahoo.com/group/techsupportalliance/
~*~*~*~*~
To unsubscribe from our list send an email
to hackfix-virusnews-request@xxxxxxxxxxxxx?Subject=unsubscribe.
For a complete list of email commands for our list send
an email to ecartis@xxxxxxxxxxxxx with a subject line of
"info hackfix-virusnews" without the quotes.
~*~*~*~*~
Other related posts:
- » hackfix-virusnews: W32/Oror-Fam / Network Worm "Roron"
