Home / malware Worm:Win32/Roron.AA@mm
First posted on 04 February 2009.
Source: SecurityHomeAliases :
Worm:Win32/Roron.AA@mm is also known as Also Known As:Win32/Oror.AE (CA), Email-Worm.Win32.Roron.4999.c (Kaspersky), W32/Oror-L (Sophos), Win32.Oror.L@mm (BitDefender), W32/Oror.af@MM (McAfee), W32.HLLW.Oror.D@mm (Symantec), WORM_OROR.L (Trend Micro).
Explanation :
Worm:Win32/Roron.AA@mm is a worm that attempts to send personal information to a remote address. It may spread via e-mail, network shares, or peer-to-peer file sharing.
Symptoms
System ChangesThe following system changes may indicate the presence of Worm:Win32/Roron.AA@mm:The presence of the following files: %windir%Faith.ini
sysnuht16.exe
syslog.dll
<system folder> hunLib.sys
%windir%
uhta.cfg
<system folder>Dxnuht16.dll
%windir%Runtask32.vxdThe presence of the following registry subentry:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
With data: "Sysnuht16.exe powrprof.dll,LoadCurrentPwrScheme"
Worm:Win32/Roron.AA@mm is a worm that attempts to send personal information to a remote address. It may spread via e-mail, network shares, or peer-to-peer file sharing.
Installation
When executed, Worm:Win32/Roron.AA@mm checks whether a copy of itself is running in the System, Windows, and Program Files folders. If no running copies are found, it copies itself to the Windows folder as "sysnuht16.exe". It may also drop a DLL component in the System folder as "syslog.dll". Worm:Win32/Roron.AA@mm modifies the system registry so that it executes every time Windows starts:
Adds value: <value name>
With data: "Sysnuht16.exe powrprof.dll,LoadCurrentPwrScheme"
Under key: HKLMSoftwareMicrosoftWindowsCurrentVersionRun Where <value name> is one of these strings:Run Load Start suffixed by one of these strings:Profile System Agent For example, "RunProfile" or "StartSystem". It then displays one of the following four dialog boxes: To ensure that its copy is run every time an executable file is run, it modifies the following registry entry:
Modifies value: "(Default)"
With data: "Sysnuht16.exe "%1" %*"
To subkey: HKCRexefileshellopencommand Program Files Subfolder Copy
Worm:Win32/Roron.AA@mm may also copy itself to a subfolder within the Program Files folder. The file name it uses for its copy consists of the first word of the subfolder name, optionally followed by "16", or "32". For example, if a subfolder exists named "Sample Program", the Roron.AA copy may have any of the following filenames:
%ProgramFiles%Sample ProgramSample.exe
%ProgramFiles%Sample ProgramSample16.exe
%ProgramFiles%Sample ProgramSample32.exe It then modifies the system registry so that its copy in the Program Files subfolder also automatically executes every time Windows starts:Adds value: <value name>
With data: <location and file name of copy within the Program Files subfolder>
To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun Where <value name> is the name of the EXE copy appended with one of the following:Agent Startup Loader Note that the last 2 of these have a leading space, but the first does not. For example, the following entry may be created:Adds value: "Sample16 Startup"
With data: "%ProgramFiles%Sample ProgramSample16.exe"
Under key: HKLMSoftwareMicrosoftWindowsCurrentVersionRun System Folder Copy
Worm:Win32/Roron.AA@mm may also copy itself to the System folder. It selects a file within this folder and copies itself using the file name, optionally followed by "16" or "32". For example, if a file exists named "mydll.dll", the Roron.AA copy may have any of the following filenames:
<system folder>mydll.exe
<system folder>mydll16.exe
<system folder>mydll32.exe Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. It then modifies the system registry so that its copy in the System folder also automatically executes every time Windows starts:Adds value: run
With data: <location and file name of copy within the System folder>
To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun For example, the following entry may be created:Adds value: "run"
With data: "<system folder>mydll.exe"
Under key: HKLMSoftwareMicrosoftWindowsCurrentVersionRun Once Roron.AA has created its copies in the Program Files subfolder and the System folder, it launches "sysnuht16.exe". It periodically monitors if its copies and corresponding autostart entries have been removed; if so they may be replaced. Roron.AA creates the mutex "DangalakMutex" to ensure that no more than one copy may run at a time.Spreads Via...Network SharesWorm:Win32/Roron.AA@mm periodically attempts to create a single copy of itself in subfolders of network shares if their folder names begin with any of the following strings:
WINDOWS
WIN
WIN95
WIN98
WINME Its copies have file names consisting of any of the following strings: PcDudes
BritneyUltimate
Pamela 3D_
Britney Suxx
KamaSutra
LaFemmeNikita
Teen Sex Cam
Lolita
Pam Anderson Theme
Sexy Teens Desktop
SexSpy
Anal Explorer
Hot Blondies
Strip Kournikova
KaZaA Media Desktop v2.2_
Serials 2K 7.2 (by SNTeam)_
Serials2002_8.0(17.08.02)_
Dreamweaver_MX_Update_
ACDSee
WinAmp_3.2_Cool_
Download Accelerator 5.5_
Nero Burning Rom 5.7.0.1_
cRedit_CarDs_gEn
MeGa HACK
Zip Password Recovery
GTA 3 Bonus Cars(part1)_
EminemDesktop
DMX tHeMe
NFS 6 Bonus Cars_
Counter Strike 1.5 (Hackz)_
Madonna Desktop
WinZip 8.2_
DivX 5.5 Bundle_ Followed by a string chosen from the following list: (sHow)
3D
3.0
(Eng)
v4.5
(Rated)
7.1 FULL
v5.5
(zip)
3.0
(Cracked)
3.3
_v1.1 The files may have either an EXE or SCR extension, for example "PcDudes3D.scr" or "DMX tHeMe3.0.exe". Roron.AA may concatenate multiple copies of itself to its created files in the network shares to produce files of varying sizes. It also attempts to enable its copies to run automatically when the system where the network share is housed is restarted. To do this, it looks for the file "win.ini" and adds lines that effectively add the following registry entries: Adds value: "run"
With data: "<file name of copy within the network share in 8.3 filename format>"
To key: HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows Roron.AA may also attempt to place a hidden autorun.inf file in the root directory of the share. Peer to Peer File SharingIf Kazaa is present on the system, Worm:Win32/Roron.AA@mm attempts to spread using P2P file sharing. It makes sure file sharing is enabled by setting the following registry value:Modifies value: "DisableSharing"
With data: "0"
To subkey: HKCUSOFTWAREKazaaLocalContent It creates a folder under %windir%profiles and makes it available for file sharing by adding the following registry entry:
Adds value: Dir<digit>
With data: 012345:%windir%>profiles
To subkey: HKCUSOFTWAREKazaaLocalContent Where <digit> represents a digit not already used for a shared directory registry entry. Roron.AA then periodically copies itself to the %windir%profiles folder, choosing filenames in the same manner as for network sharing. E-mailWorm:Win32/Roron.AA@mm checks the sender's and recipient's locales and sends different emails for Bulgarian users compared to those based elsewhere. It attaches itself to emails with the following details: Sender Name
Unless specified in the "Message" section below, the sender name is chosen as one of the following: dreamy
candy_f
bryan16
jerry
baby_17
neo
trish1
linda17
monica
nicole
angel_f
mellany
iguana17
blade
badgirl
wizzard
blue16
tweety
alice
jane17
badboy
rap_girl
CrazyGirl
steve
happy
amanda
crazy
mickey
lady_f
alex15
sunny
dave
panda_f This is followed by one of the following domain names: • hotmail.com
• yahoo.com
• mail.com
• yahoo.co.uk
• usa.net
• europe.com
• aol.com Attachment NameRoron.AA worm attaches a copy of itself to the e-mail. Unless specified in the "Message" section below, the attachment filename is generated using the same method mentioned above in the "Network Shares" section. Subject NameUnless specified in the "Message" section below, the subject line is selected as one of the following if the sender's and recipient's locales is not Bulgaria: HeY
ZzZz
Bla Bla
HoWie
Happy
Hi Again
Wow
Just A Letter
Hello
Hey Ya
Boom
Hi There If the locale is Bulgaria, the subject line is selected as one of the following: Zdrasti
Zdr Otnovo
Ohoo
Ei
Pisamce
TinKi WinKy
ZzZz
Bla Bla
Hey
Privet
Boom Any of the subject lines above may be trailed by one of the following: ..
!!
:)
;))
:pP
~pPp
:>
!
;) MessagesThe following are sample messages sent out by this worm. Sender: greetings@reply.yahoo.com
Subject: <name> sent you a Yahoo! Greeting_
Body: Surprise! You've just received a Yahoo! Greeting
from "<name>"!
This is an interactive greeting card
and requires Flash Media Player.
Enjoy!
The Yahoo! Greetings Team. Attachment Name: Yahoo!Winter.exe or Yahoo!Christmas.exe === Sender: support@winamp.com
Subject: WinAmp Team Presents_
Body: Hello, WinAmp User. WinAmp Team is proud to present our new
service for users of WinAmp. WinAmp 3.0 Final has been just
released and we believe that it will be the player you've ever
dreamed about.
We plan to start a new tradition, sending the best skin or
add-on to our users every week. This new service is free and
we hope that you would like it.
Everyone can offer us suggestions.
We do our best to serve you.
----------------
WinAmp Team.
www.WinAmp.com Attachment Name: RedEyez2_skin.exe or Iguana2_skin.exe === Body: Hi again ;)) Where are you? Don't you chat any more? I haven't
seen you so long :)) Well, I've got a lot to tell you about. The
Summer vacation was too good to be true. Beach, disco's, friends..
Unfortunately, it's Winter now and the temperatures here are very
low. I was ill almost 2 weeks. Quite unpleasant :(( I sent you a
surprise :)) Vote for Pink and Robbie Williams, they're great ;)
Finally, how are you? Write to me :)) Byeee.. :pP === Sender: greetings@e-cards.com
Subjects: Reveal who you are
Explore your soul
Body: Hello, if you are reading this letter, it means that a friend
of yours has sent it to you. The idea is to help you realize who
you are indeed. This is an interactive variant, based on the
original tests of Dhalai Lama, a great indian philosopher.
Before you open the test, you should make a wish. Answer to
the 5 questions honestly, after that you will recieve a number.
If you want your wish to come true you must send this letter
to that count of your friends. You can make the test only
once, because after that the results won't be fair.
"If you want to enter the other's world,
you should explore your soul first" - Dhalai Lama.
P.S. This test is for personal use only, and should not
be used with commercial purposes. Attachment Name: Friends.exe === Sender: support@games.yahoo.com
Subject: Yahoo!Games_
Body: Yahoo! Team is proud to present our new surprise
for the clients of Yahoo! and Yahoo! Mail.
We plan to send you the best Yahoo! Games weekly.
This new service is free and it's a gift for the 10th
anniversary of Yahoo!. We hope you would like it.
The whole Yahoo! Team wants to express our gratitude to
you, the people who helped us to improve Yahoo! so much,
that it became the most popular worldwide portal.
Thank You!
We do our best to serve you.
------------------
Yahoo! Team.
www.Yahoo.com Attachment Name: Yahoo!Baseball.exe === Sender: support@mcafee.com
Subject: McAfee Antivirus Monthly Report_
Body: McAfee Antivirus warns about several new viruses exploiting
Microsoft Internet Explorer. They register themselves as ActiveX
controls and subsequently grant access to the local resources of
the visitors. This type of internet viruses is very dangerous,
because they delete various files of the operating system.
Due to the significant increase of viruses exploiting this vulnerability,
McAfee Antivirus supports clients of Microsoft Windows with
patch, which
fixes this bug in Internet Explorer 5.5 and minor versions. Customers who
have applied this patch are already protected against the vulnerability
and do not need to take additional action.
-----------------
McAfee Antivirus
www.McAfee.com Attachment Name: IE_0276_Setup.exe === Sender: support@yahoo.com
Subject: Yahoo! Toolbar_
Body: Yahoo! Team is proud to present its new service
for clients of Yahoo! and Yahoo! Mail.
Yahoo! Toolbar is an innovative technology, which
helps you access Yahoo! Services easier than ever before.
It's free and is a gift for the 10th anniversary of Yahoo!.
We hope you would like it.
The whole Yahoo! Team wants to express its gratitude to
you, the people who helped us to improve Yahoo! so much,
that it became the most popular worldwide portal.
Thank You!
We do our best to serve you.
---------------
Yahoo! Team.
www.Yahoo.com Attachment Name: Yahoo!Toolbar.exe === Body: Hi again :)) Where are you? Don't you chat any more? I haven't
seen you so long.. Well, I've got a lot to tell you about. The
Winter vacation was too good to be true. Disco's, friends, fun..
Unfortunately, the temperatures here are very low now and I was
ill almost 2 weeks. Quite unpleasant :(( Let's talk about you :)
Are you oK? Are you in love :)) I sent you a surprise :)) It's nice.
I'm a little bit bored of these stupid computers, but I'm waiting
for the reply :)) Bye.. === Subject: Blondes Rullz
Attachment Name: Blondes.scr === Subject: Blondinki
Attachment Name: Blondes.scr === Sender: greetings@kefche.com
Subject: Preotkrii sebe si Priqteli
Attachment Name: Faith.exe === Sender: support@kefche.com
Subject: Kefche.com_
=== Sender: support@microsoft.com
Subject: Microsoft Bulgaria_
Attachment Name: IE_0273_bg.exe === Sender: alert@computel.bg
Subject: Vajno_
Attachment Name: IE55_032.exe
Payload
Steals Sensitive InformationWorm:Win32/Roron.AA@mm attempts to collect personal information from fixed drives and send it to a remote user, who may be a user of one of the following servers:
bitex.bg
mailbg.com
abv.bg
mail.bg
priatel.com It searches for files containing the following strings: visa
credit
bnc
spoof
login
user
pass
account
cc
cc-
cc's
visa
credit
kreditkarte
cardnumber
cardtype
address
expire
cvv2
charge
billing
bay
payment
secret
login
cash
important
stuff It also attempts to retrieve cached passwords. Harvests E-mail Addresses
Roron.AA also searches for files with the following extensions, possibly to allow e-mail address harvesting:
ods
mmf
nch
mbx
tbb
dbx
wab Terminates Security ProcessesRoron.AA periodically attempts to close windows of running programs if their windows titles contain any of the following strings: black
panda
shield
guard
scan
mcafee
nai_vs_stat
iomon
navap
avp
alarm
f-prot
secure
labs
antivir It also terminates running processes whose file names contain any of the following strings: virus
norton
black
cillin
pc
labs
zone
firewall
mcafee
guard
esafe
lockdown
conseal
antivir
f-secure
f-prot
fprot
kaspersky
avp
panda Deletes Security-Related FilesRoron.AA also examines fixed disks searching for files whose full pathnames contain the strings listed above, and may attempt to delete these files if found. Backdoor FunctionalityIf the user has an IRC client installed, Worm:Win32/Roron.AA@mm may attempt to modify the user's configuration files to automatically perform specified activities, including the following: • Send and receive files to/from other users.
• Launch denial of service attacks
• Send private messages to other users, requesting they download specified URLs
• Log conversations and other user information
• Shut down or restart the system.
• Execute files on the system
• Update configuration information of the worm Some instructions related to these activities may be obtained from a file, which Roron.AA downloads from a page in geocities.com.Additional InformationWorm:Win32/Roron.AA@mm stores configuration and status information in the following files: %windir%Faith.ini
<system folder> hunLib.sys
%windir%
uhta.cfg
<system folder>Dxnuht16.dll
%windir%Runtask32.vxd
Analysis by David WoodLast update 04 February 2009