Home / malwarePDF  

Worm:Win32/Roron.AA@mm


First posted on 04 February 2009.
Source: SecurityHome

Aliases :

Worm:Win32/Roron.AA@mm is also known as Also Known As:Win32/Oror.AE (CA), Email-Worm.Win32.Roron.4999.c (Kaspersky), W32/Oror-L (Sophos), Win32.Oror.L@mm (BitDefender), W32/Oror.af@MM (McAfee), W32.HLLW.Oror.D@mm (Symantec), WORM_OROR.L (Trend Micro).

Explanation :

Worm:Win32/Roron.AA@mm is a worm that attempts to send personal information to a remote address. It may spread via e-mail, network shares, or peer-to-peer file sharing.

Symptoms
System ChangesThe following system changes may indicate the presence of Worm:Win32/Roron.AA@mm:

  • The presence of the following files:
    sysnuht16.exe
    syslog.dll
  • %windir%Faith.ini
    <system folder> hunLib.sys
    %windir%
    uhta.cfg
    <system folder>Dxnuht16.dll
    %windir%Runtask32.vxd
  • The presence of the following registry subentry:
    HKLMSoftwareMicrosoftWindowsCurrentVersionRun
    With data: "Sysnuht16.exe powrprof.dll,LoadCurrentPwrScheme"


  • Worm:Win32/Roron.AA@mm is a worm that attempts to send personal information to a remote address. It may spread via e-mail, network shares, or peer-to-peer file sharing.

    Installation
    When executed, Worm:Win32/Roron.AA@mm checks whether a copy of itself is running in the System, Windows, and Program Files folders. If no running copies are found, it copies itself to the Windows folder as "sysnuht16.exe". It may also drop a DLL component in the System folder as "syslog.dll". Worm:Win32/Roron.AA@mm modifies the system registry so that it executes every time Windows starts:
    Adds value: <value name>
    With data: "Sysnuht16.exe powrprof.dll,LoadCurrentPwrScheme"
    Under key: HKLMSoftwareMicrosoftWindowsCurrentVersionRun Where <value name> is one of these strings:
  • Run
  • Load
  • Start
  • suffixed by one of these strings:
  • Profile
  • System
  • Agent
  • For example, "RunProfile" or "StartSystem". It then displays one of the following four dialog boxes: To ensure that its copy is run every time an executable file is run, it modifies the following registry entry:
    Modifies value: "(Default)"
    With data: "Sysnuht16.exe "%1" %*"
    To subkey: HKCRexefileshellopencommand Program Files Subfolder Copy
    Worm:Win32/Roron.AA@mm may also copy itself to a subfolder within the Program Files folder. The file name it uses for its copy consists of the first word of the subfolder name, optionally followed by "16", or "32". For example, if a subfolder exists named "Sample Program", the Roron.AA copy may have any of the following filenames:
    %ProgramFiles%Sample ProgramSample.exe
    %ProgramFiles%Sample ProgramSample16.exe
    %ProgramFiles%Sample ProgramSample32.exe It then modifies the system registry so that its copy in the Program Files subfolder also automatically executes every time Windows starts:Adds value: <value name>
    With data: <location and file name of copy within the Program Files subfolder>
    To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun Where <value name> is the name of the EXE copy appended with one of the following:Agent Startup Loader Note that the last 2 of these have a leading space, but the first does not. For example, the following entry may be created:Adds value: "Sample16 Startup"
    With data: "%ProgramFiles%Sample ProgramSample16.exe"
    Under key: HKLMSoftwareMicrosoftWindowsCurrentVersionRun System Folder Copy
    Worm:Win32/Roron.AA@mm may also copy itself to the System folder. It selects a file within this folder and copies itself using the file name, optionally followed by "16" or "32". For example, if a file exists named "mydll.dll", the Roron.AA copy may have any of the following filenames:
    <system folder>mydll.exe
    <system folder>mydll16.exe
    <system folder>mydll32.exe Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. It then modifies the system registry so that its copy in the System folder also automatically executes every time Windows starts:Adds value: run
    With data: <location and file name of copy within the System folder>
    To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun For example, the following entry may be created:Adds value: "run"
    With data: "<system folder>mydll.exe"
    Under key: HKLMSoftwareMicrosoftWindowsCurrentVersionRun Once Roron.AA has created its copies in the Program Files subfolder and the System folder, it launches "sysnuht16.exe". It periodically monitors if its copies and corresponding autostart entries have been removed; if so they may be replaced. Roron.AA creates the mutex "DangalakMutex" to ensure that no more than one copy may run at a time.Spreads Via...Network SharesWorm:Win32/Roron.AA@mm periodically attempts to create a single copy of itself in subfolders of network shares if their folder names begin with any of the following strings:
    WINDOWS
    WIN
    WIN95
    WIN98
    WINME Its copies have file names consisting of any of the following strings: PcDudes
    BritneyUltimate
    Pamela 3D_
    Britney Suxx
    KamaSutra
    LaFemmeNikita
    Teen Sex Cam
    Lolita
    Pam Anderson Theme
    Sexy Teens Desktop
    SexSpy
    Anal Explorer
    Hot Blondies
    Strip Kournikova
    KaZaA Media Desktop v2.2_
    Serials 2K 7.2 (by SNTeam)_
    Serials2002_8.0(17.08.02)_
    Dreamweaver_MX_Update_
    ACDSee
    WinAmp_3.2_Cool_
    Download Accelerator 5.5_
    Nero Burning Rom 5.7.0.1_
    cRedit_CarDs_gEn
    MeGa HACK
    Zip Password Recovery
    GTA 3 Bonus Cars(part1)_
    EminemDesktop
    DMX tHeMe
    NFS 6 Bonus Cars_
    Counter Strike 1.5 (Hackz)_
    Madonna Desktop
    WinZip 8.2_
    DivX 5.5 Bundle_ Followed by a string chosen from the following list: (sHow)
    3D
    3.0
    (Eng)
    v4.5
    (Rated)
    7.1 FULL
    v5.5
    (zip)
    3.0
    (Cracked)
    3.3
    _v1.1 The files may have either an EXE or SCR extension, for example "PcDudes3D.scr" or "DMX tHeMe3.0.exe". Roron.AA may concatenate multiple copies of itself to its created files in the network shares to produce files of varying sizes. It also attempts to enable its copies to run automatically when the system where the network share is housed is restarted. To do this, it looks for the file "win.ini" and adds lines that effectively add the following registry entries: Adds value: "run"
    With data: "<file name of copy within the network share in 8.3 filename format>"
    To key: HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows Roron.AA may also attempt to place a hidden autorun.inf file in the root directory of the share. Peer to Peer File SharingIf Kazaa is present on the system, Worm:Win32/Roron.AA@mm attempts to spread using P2P file sharing. It makes sure file sharing is enabled by setting the following registry value:Modifies value: "DisableSharing"
    With data: "0"
    To subkey: HKCUSOFTWAREKazaaLocalContent It creates a folder under %windir%profiles and makes it available for file sharing by adding the following registry entry:
    Adds value: Dir<digit>
    With data: 012345:%windir%>profiles
    To subkey: HKCUSOFTWAREKazaaLocalContent Where <digit> represents a digit not already used for a shared directory registry entry. Roron.AA then periodically copies itself to the %windir%profiles folder, choosing filenames in the same manner as for network sharing. E-mailWorm:Win32/Roron.AA@mm checks the sender's and recipient's locales and sends different emails for Bulgarian users compared to those based elsewhere. It attaches itself to emails with the following details: Sender Name
    Unless specified in the "Message" section below, the sender name is chosen as one of the following: dreamy
    candy_f
    bryan16
    jerry
    baby_17
    neo
    trish1
    linda17
    monica
    nicole
    angel_f
    mellany
    iguana17
    blade
    badgirl
    wizzard
    blue16
    tweety
    alice
    jane17
    badboy
    rap_girl
    CrazyGirl
    steve
    happy
    amanda
    crazy
    mickey
    lady_f
    alex15
    sunny
    dave
    panda_f This is followed by one of the following domain names: • hotmail.com
    • yahoo.com
    • mail.com
    • yahoo.co.uk
    • usa.net
    • europe.com
    • aol.com Attachment NameRoron.AA worm attaches a copy of itself to the e-mail. Unless specified in the "Message" section below, the attachment filename is generated using the same method mentioned above in the "Network Shares" section. Subject NameUnless specified in the "Message" section below, the subject line is selected as one of the following if the sender's and recipient's locales is not Bulgaria: HeY
    ZzZz
    Bla Bla
    HoWie
    Happy
    Hi Again
    Wow
    Just A Letter
    Hello
    Hey Ya
    Boom
    Hi There If the locale is Bulgaria, the subject line is selected as one of the following: Zdrasti
    Zdr Otnovo
    Ohoo
    Ei
    Pisamce
    TinKi WinKy
    ZzZz
    Bla Bla
    Hey
    Privet
    Boom Any of the subject lines above may be trailed by one of the following: ..
    !!
    :)
    ;))
    :pP
    ~pPp
    :>
    !
    ;) MessagesThe following are sample messages sent out by this worm. Sender: greetings@reply.yahoo.com
    Subject: <name> sent you a Yahoo! Greeting_
    Body: Surprise! You've just received a Yahoo! Greeting
    from "<name>"!
    This is an interactive greeting card
    and requires Flash Media Player.
    Enjoy!
    The Yahoo! Greetings Team. Attachment Name: Yahoo!Winter.exe or Yahoo!Christmas.exe === Sender: support@winamp.com
    Subject: WinAmp Team Presents_
    Body: Hello, WinAmp User. WinAmp Team is proud to present our new
    service for users of WinAmp. WinAmp 3.0 Final has been just
    released and we believe that it will be the player you've ever
    dreamed about.
    We plan to start a new tradition, sending the best skin or
    add-on to our users every week. This new service is free and
    we hope that you would like it.
    Everyone can offer us suggestions.
    We do our best to serve you.
    ----------------
    WinAmp Team.
    www.WinAmp.com Attachment Name: RedEyez2_skin.exe or Iguana2_skin.exe === Body: Hi again ;)) Where are you? Don't you chat any more? I haven't
    seen you so long :)) Well, I've got a lot to tell you about. The
    Summer vacation was too good to be true. Beach, disco's, friends..
    Unfortunately, it's Winter now and the temperatures here are very
    low. I was ill almost 2 weeks. Quite unpleasant :(( I sent you a
    surprise :)) Vote for Pink and Robbie Williams, they're great ;)
    Finally, how are you? Write to me :)) Byeee.. :pP === Sender: greetings@e-cards.com
    Subjects: Reveal who you are
    Explore your soul
    Body: Hello, if you are reading this letter, it means that a friend
    of yours has sent it to you. The idea is to help you realize who
    you are indeed. This is an interactive variant, based on the
    original tests of Dhalai Lama, a great indian philosopher.
    Before you open the test, you should make a wish. Answer to
    the 5 questions honestly, after that you will recieve a number.
    If you want your wish to come true you must send this letter
    to that count of your friends. You can make the test only
    once, because after that the results won't be fair.
    "If you want to enter the other's world,
    you should explore your soul first" - Dhalai Lama.
    P.S. This test is for personal use only, and should not
    be used with commercial purposes. Attachment Name: Friends.exe === Sender: support@games.yahoo.com
    Subject: Yahoo!Games_
    Body: Yahoo! Team is proud to present our new surprise
    for the clients of Yahoo! and Yahoo! Mail.
    We plan to send you the best Yahoo! Games weekly.
    This new service is free and it's a gift for the 10th
    anniversary of Yahoo!. We hope you would like it.
    The whole Yahoo! Team wants to express our gratitude to
    you, the people who helped us to improve Yahoo! so much,
    that it became the most popular worldwide portal.
    Thank You!
    We do our best to serve you.
    ------------------
    Yahoo! Team.
    www.Yahoo.com Attachment Name: Yahoo!Baseball.exe === Sender: support@mcafee.com
    Subject: McAfee Antivirus Monthly Report_
    Body: McAfee Antivirus warns about several new viruses exploiting
    Microsoft Internet Explorer. They register themselves as ActiveX
    controls and subsequently grant access to the local resources of
    the visitors. This type of internet viruses is very dangerous,
    because they delete various files of the operating system.
    Due to the significant increase of viruses exploiting this vulnerability,
    McAfee Antivirus supports clients of Microsoft Windows with
    patch, which
    fixes this bug in Internet Explorer 5.5 and minor versions. Customers who
    have applied this patch are already protected against the vulnerability
    and do not need to take additional action.
    -----------------
    McAfee Antivirus
    www.McAfee.com Attachment Name: IE_0276_Setup.exe === Sender: support@yahoo.com
    Subject: Yahoo! Toolbar_
    Body: Yahoo! Team is proud to present its new service
    for clients of Yahoo! and Yahoo! Mail.
    Yahoo! Toolbar is an innovative technology, which
    helps you access Yahoo! Services easier than ever before.
    It's free and is a gift for the 10th anniversary of Yahoo!.
    We hope you would like it.
    The whole Yahoo! Team wants to express its gratitude to
    you, the people who helped us to improve Yahoo! so much,
    that it became the most popular worldwide portal.
    Thank You!
    We do our best to serve you.
    ---------------
    Yahoo! Team.
    www.Yahoo.com Attachment Name: Yahoo!Toolbar.exe === Body: Hi again :)) Where are you? Don't you chat any more? I haven't
    seen you so long.. Well, I've got a lot to tell you about. The
    Winter vacation was too good to be true. Disco's, friends, fun..
    Unfortunately, the temperatures here are very low now and I was
    ill almost 2 weeks. Quite unpleasant :(( Let's talk about you :)
    Are you oK? Are you in love :)) I sent you a surprise :)) It's nice.
    I'm a little bit bored of these stupid computers, but I'm waiting
    for the reply :)) Bye.. === Subject: Blondes Rullz
    Attachment Name: Blondes.scr === Subject: Blondinki
    Attachment Name: Blondes.scr === Sender: greetings@kefche.com
    Subject: Preotkrii sebe si Priqteli
    Attachment Name: Faith.exe === Sender: support@kefche.com
    Subject: Kefche.com_
    === Sender: support@microsoft.com
    Subject: Microsoft Bulgaria_
    Attachment Name: IE_0273_bg.exe === Sender: alert@computel.bg
    Subject: Vajno_
    Attachment Name: IE55_032.exe

    Payload
    Steals Sensitive InformationWorm:Win32/Roron.AA@mm attempts to collect personal information from fixed drives and send it to a remote user, who may be a user of one of the following servers:
    bitex.bg
    mailbg.com
    abv.bg
    mail.bg
    priatel.com It searches for files containing the following strings: visa
    credit
    bnc
    spoof
    login
    user
    pass
    account
    cc
    cc-
    cc's
    visa
    credit
    kreditkarte
    cardnumber
    cardtype
    address
    expire
    cvv2
    charge
    billing
    bay
    payment
    secret
    login
    cash
    important
    stuff It also attempts to retrieve cached passwords. Harvests E-mail Addresses
    Roron.AA also searches for files with the following extensions, possibly to allow e-mail address harvesting:
    ods
    mmf
    nch
    mbx
    tbb
    dbx
    wab Terminates Security ProcessesRoron.AA periodically attempts to close windows of running programs if their windows titles contain any of the following strings: black
    panda
    shield
    guard
    scan
    mcafee
    nai_vs_stat
    iomon
    navap
    avp
    alarm
    f-prot
    secure
    labs
    antivir It also terminates running processes whose file names contain any of the following strings: virus
    norton
    black
    cillin
    pc
    labs
    zone
    firewall
    mcafee
    guard
    esafe
    lockdown
    conseal
    antivir
    f-secure
    f-prot
    fprot
    kaspersky
    avp
    panda Deletes Security-Related FilesRoron.AA also examines fixed disks searching for files whose full pathnames contain the strings listed above, and may attempt to delete these files if found. Backdoor FunctionalityIf the user has an IRC client installed, Worm:Win32/Roron.AA@mm may attempt to modify the user's configuration files to automatically perform specified activities, including the following: • Send and receive files to/from other users.
    • Launch denial of service attacks
    • Send private messages to other users, requesting they download specified URLs
    • Log conversations and other user information
    • Shut down or restart the system.
    • Execute files on the system
    • Update configuration information of the worm Some instructions related to these activities may be obtained from a file, which Roron.AA downloads from a page in geocities.com.Additional InformationWorm:Win32/Roron.AA@mm stores configuration and status information in the following files: %windir%Faith.ini
    <system folder> hunLib.sys
    %windir%
    uhta.cfg
    <system folder>Dxnuht16.dll
    %windir%Runtask32.vxd

    Analysis by David Wood

    Last update 04 February 2009

     

    TOP