McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Roron.53 (AVP)

• W32/Roro.W@mm (F-Prot)

• WORM_OROR.Q (Trend)

Characteristics

This is a mass-mailing worm that also spreads via mIRC, KaZaa, network shares, and mapped drives. It can utilize both SMTP and MAPI messaging. The virus also drops a mIRC bot script and will also close windows and deletes certain security software files and firewall programs.

Email arrival
The virus may arrive in an email message containing the following random information:

Subject:

• HeY
• ZzZz
• Bla Bla
• HoWie
• Happy
• Hi Again
• Wow
• Just A Letter
• Hello
• Hey Ya
• Boom
• Hi There
• Zdrasti
• Zdr Otnovo
• Ohoo
• Ei
• Pisamce
• TinKi WinKy
• Privet
• Boom

Followed by one of the following strings:

• ..
• :)
• ;))
• :pP
• ~pPp
• ;)

Body:

• Hey, what's up :)) Where are you? Don't you chat any more? I haven't seen you so long. I sent you a surprise, read this :)) - What do blondes wear behind their ears to attract men? Their ankles!! - Why did god invent the female orgasm? So blondes know when to stop screwing!! - What is a blond with hair black colored? Artificial intelligence! Blondes forever!! :) Time off, i must go now, but i'll be very happy if you write to me soon :) Bye bye :))
• Kak q karash? Pomnish li me oshte :)) Nadqvam se che da. Baq vreme ne sme sa chuvali.. Neshto novo ima li? Namerih edna mnoo qka programka i neznam zashto, no mi napomniza teb :)) Kakvo pravi blondinka kato rodi bliznaci? - Chudi se koi e vtoriq tatko :) Kakva e razlikata mejdu 10 ovce i 3 blondinki? Otgovor: 7 Kak mojesh da razsmeesh blondinka v petak? - Kato i razkajesh vic vav vtornik :) Kefqt li ta vicovete? Shegichka de :) Razkazva vicove na 5 minuti : )) Posmqh se za baq vreme napred :pPpP Haide bye za sega, i da pishesh :))

The virus may also send out emails that are not constructed with random strings. The following emails may be sent:

• Subject: Explorer your soul
• Body: Hello, if you are reading this letter, it means that a friend of yours has sent it to you. The idea is to help you realize who you are indeed. This is an interactive variant, based on the original tests of Dhalai Lama, a great indian philosopher. Before you open the test, you should make a wish. Answer to the 5 questions honestly, after that you will recieve a number. If you want your wish to come true you must send this letter to that count of your friends. You can make the test only once, because after that the results won't be real. "If you want to enter the other's world, you should explore your soul first" - Dhalai Lama a. P.S. This test is for personal use only, and should not be used with commercial purposes.
• Attachment: Faith.scr

• Subject: Kefche.com
• Body: Ekiput na Kefche.com ima radostta da pozdravi vsichki fenove na Kefcheto s 1-ta godishnina ot puskaneto na site-a. Nie se prevurnahme v nai-dobriq i poseshtavan bg site za zabavleniq i igri. Ot samoto si nachalo Kefche.com ima za cel da vi nosi samo i edinstveno smqh i zabava, nadqvame se che sme postignali celite si :)) Po sluchai godishninata, ekiput ni poe iniciativata da izprashta vsqka sedmica nai-dobrite flash-cheta i igrichki na vsichki user-i poseshtavashti Kefche-to. Nadqvame se da vi haresa i tova da bude samo nachaloto na edno novo zabavlenie :))
  -----------------
  Kefche.com Team.

• Subject: Preotkrii sebe si
• Body: Zdravei, ako si poluchil tova pismo znachi nqkoi priqtel ti go e pratil. Celta na pismoto e da ti pomogne da razberesh koi si vsushnost. Originalnata ideq e na Dalai Lama i tova e nein interaktiven variant. Predi da otvorite test-a si namislete edno jelanie, otgovorete na 5-te vuprosa i sled kato poluchite jelanite otgovori shte poluchite edno chislo. Za da vi se izpulni jelanieto trqbva da pratite tova pis mo na tolkova priqteli. Testa se pravi samo vednuj, poneje sled tova nqma da poluchite obektivna ocenka. "Za da navlezem v sveta na drugite, purvo trqbva da budem nqsno sys sebe si" - Dalai Lama. P.S. Tozi test e samo za lichna upotreba, i ne biva da bude izpolzvan za kakvito i da bili komersialni celi.
• Attachment: Faith.scr

• Subject: [infected user name] sent you a Yahoo! Greeting
• Body: Surprise! You've just received a Yahoo! Greeting from [infected user name] This is an interactive greeting card and requires Flash Media Player. Enjoy! The Yahoo! Greetings Team.
  -----------------
  Yahoo! Greetings is a free service. If you'd like to send someone a Yahoo! Greeting, you can do so at http://greetings.yahoo.com
• Attachment: Yahoo!Winter.scr

• Subject: Yahoo! Games
• Body: Yahoo! Team is proud to present our new surprise for clients of Yahoo! and Yahoo! Mail. We plan to send you the best Yahoo! Games weekly. This new service is free and it's a gift for the 10th anniversary of Yahoo!. We hope that you would like it. The whole Yahoo! Team want to express our gratitude to you, the people who help us to improve Yahoo! so much, that it became the most popular worldwide portal. Thank You! We do our best to serve you.
  -------------
  Yahoo! Team. www.Yahoo.com
• Attachment: Yahoo!Baseball.scr

• Subject: MiamiGirls.com Free Subscription
• Body: On the occasion of it's 3th anniversary MiamiGirls.com wants to offer you even more pleasure than before. There are several new promotions and if you are interested you can watch the free demo and subsequently contact our web page. If you join now, the first month of your membership will be free. Thousands of hot teen pics and videos are available for you. Image Galleries, Cumshots, LiveCams, Hot Video Chat, Erotic Stories, XXX Lessons, Kama Sutra, Celebrities.. We provide t he best services for our members. This site contains adult material that is unsuitable for those under the age of 18.
  ------------------------
  www.MiamiGirls.com
• Attachment: FreeTour.scr

Display of "error" message"
Upon executing the virus, the following fake error message is displayed:

Title: Source
Message: Filename is not a valid Win32 application.
or
Title: WinZip Self-Extractor License Confirmation
Message: Your version of WinZip Self-Extractor is not licensed, or the license information is missing or corrupted. Please contact the program vendor or the web site (www.WinZip.com) for additional information.
or
Title: Error Starting Program
Message: The filename file expects a newer version of Windows. Upgrade your Windows version.
or
Title: Cannot open file: it does not appear to be a valid program
Message: If you downloaded this file, try downloading file again.

System effects
The virus will drop many copies of itself by taking on an existing folder name and appending 16, 32, Sys, or 98 to the end of it. For example:

• C:\Program Files\Online Services = C:\Program Files\Online Services\Online Services 98.exe

A registry run key is then created for this dropped file:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\Online Services = C:\Program Files\Online Services\Online Services 98.exe

This can occur for any folder within the %Program Files% folder. In a similar fashion the virus grabs the name of a DLL file within the WINDOWS SYSTEM (%SysDir%) folder, copies itself with a similar name and creates a WIN.INI run key for that file:

• run=C:\WINDOWS\SYSTEM\MSPRINT 98.exe

This virus hooks the following registry key:

• HKEY_CLASSES_ROOT\exefile\shell\open\
  command c:\[windows directory]\[random file name].exe "%1" %*

This will cause the virus to execute on opening any .exe file.

The worm copies itself as a [random file name].exe in the Windows directory and modifies the registry setting:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\Run,Load, or Start followed by Profile, System, or Agent ="[random file name] powprof.dll,LoadCurrentUserProfile"

Peer-to-peer propagation
The virus may also drop the following files on accessible network shares, and in the KaZaa shared folder, filenames are built with a combination of the following strings:

• (Cracked) PcDudes
• (Eng)
• (Rated)
• (sHow)
• (zip)
• _v1.1 BoxDave_
• 2.3
• 3.0
• 3D
• 7.1 FULL
• ACDSee
• Anal Explorer
• Angel3D_
• BabyBlue
• Britney Suxx
• BritneyUltimate
• Chess
• Chess
• ClubExtreme
• Counter Strike 1.5 (Hackz)_
• DivX 5.5 Bundle_
• DMX tHeMe
• Download Accelerator 5.5_
• Dreamweaver_MX_Update_
• Elfbowl
• EminemDesktop
• Fishfood
• Gipsy
• Goggles
• GTA 3 Bonus Cars(part1)_
• Hot Blondies
• Iguana
• install_en_
• Inter012_
• Inter013_
• KamaSutra
• KaZaA Media Desktop v2.2_
• LaFemmeNikita
• Lolita
• Madonna Desktop
• MeGa HACK
• mTV_Charts_ (sHow)
• mTV_Charts_ 3.3
• Nero Burning Rom 5.7.0.1_ cRedit_CarDs_gEn
• NFS HP Bonus Cars_
• Pam Anderson Theme
• Pamela 3D_
• Pamela3D_
• PcDudes
• RedEyez
• Serials 2K 7.2 (by NTeam)_
• Serials2002_8.0(17.08.02)_
• SexSpy
• Sexy Teens Desktop
• snowball_fight_
• sound_brake_
• Story015_
• Story017_
• Strip Kournikova (sHow)
• Teen Sex Cam
• v4.5
• v5.5
• VirtualRape
• WinAmp_3.2_Cool_
• WinZip 8.2_
• WWF_The_ROCK
• Zip Password Recovery

The worm may drop an AUTORUN.INF file on remote mapped drives, to automatically execute the virus upon connecting to that drive.

IRC functions
The virus will overwrite MIRC files (mirc.ini, remotes.ini, controls.ini, versions.ini, notes.ini, url.ini, version.ini) to create an IRC bot. This bot allows a remote attacker to use the compromised system to perform various functions, such as:

• Log on to IRC channels
• Upload/download files
• Initiate a Denial of Service attack
• Access websites
• Mass-mail the worm via SMTP

Note: When issues the mass-mailing command via the mIRC bot, the worm will exploit the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability (MS01-020) in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2). This will result in the virus getting executed from simply viewing the email message with a vulnerable Outlook client. Gateway scanners will detect samples using this exploit as Exploit-MIME.gen. or Exploit-MIME.gen.exe with the 4213 DATs (or higher).

Program killer payload
The virus may close windows, whose title contains any of the following strings:

• black
• panda
• shield
• guard
• scan
• mcafee
• nai_vs_stat
• iomon
• navap
• avp
• alarm
• f-prot
• secure
• labs
• antivir

It will also search for folders and subfolders that contain any of the following strings and delete these and files within:

• "virus" and "norton"
• "ice" and "black"
• pc
• cillin
• mcafee
• "labs" and "zone"
• guard
• worm
• antivir
• secure
• f-prot
• fprot
• kaspers
• avp
• panda
• conseal
• firewall
• esafe
• lockdown
• antivirus
• fsecure

Symptoms

The worm drops several files most with random file names. The following files are not random:

• Cmddrv.dll
• Faith.ini

Method of Infection

This worm arrives via KaZaa, email, or IRC. Executing an infected file infects the local system. It also spreads via accessible network shares and appends executable files.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Roron.53 (AVP)

• W32/Roro.W@mm (F-Prot)

• WORM_OROR.Q (Trend)

Characteristics

Characteristics -

This is a mass-mailing worm that also spreads via mIRC, KaZaa, network shares, and mapped drives. It can utilize both SMTP and MAPI messaging. The virus also drops a mIRC bot script and will also close windows and deletes certain security software files and firewall programs.

Email arrival
The virus may arrive in an email message containing the following random information:

Subject:

• HeY
• ZzZz
• Bla Bla
• HoWie
• Happy
• Hi Again
• Wow
• Just A Letter
• Hello
• Hey Ya
• Boom
• Hi There
• Zdrasti
• Zdr Otnovo
• Ohoo
• Ei
• Pisamce
• TinKi WinKy
• Privet
• Boom

Followed by one of the following strings:

• ..
• :)
• ;))
• :pP
• ~pPp
• ;)

Body:

• Hey, what's up :)) Where are you? Don't you chat any more? I haven't seen you so long. I sent you a surprise, read this :)) - What do blondes wear behind their ears to attract men? Their ankles!! - Why did god invent the female orgasm? So blondes know when to stop screwing!! - What is a blond with hair black colored? Artificial intelligence! Blondes forever!! :) Time off, i must go now, but i'll be very happy if you write to me soon :) Bye bye :))
• Kak q karash? Pomnish li me oshte :)) Nadqvam se che da. Baq vreme ne sme sa chuvali.. Neshto novo ima li? Namerih edna mnoo qka programka i neznam zashto, no mi napomniza teb :)) Kakvo pravi blondinka kato rodi bliznaci? - Chudi se koi e vtoriq tatko :) Kakva e razlikata mejdu 10 ovce i 3 blondinki? Otgovor: 7 Kak mojesh da razsmeesh blondinka v petak? - Kato i razkajesh vic vav vtornik :) Kefqt li ta vicovete? Shegichka de :) Razkazva vicove na 5 minuti : )) Posmqh se za baq vreme napred :pPpP Haide bye za sega, i da pishesh :))

The virus may also send out emails that are not constructed with random strings. The following emails may be sent:

• Subject: Explorer your soul
• Body: Hello, if you are reading this letter, it means that a friend of yours has sent it to you. The idea is to help you realize who you are indeed. This is an interactive variant, based on the original tests of Dhalai Lama, a great indian philosopher. Before you open the test, you should make a wish. Answer to the 5 questions honestly, after that you will recieve a number. If you want your wish to come true you must send this letter to that count of your friends. You can make the test only once, because after that the results won't be real. "If you want to enter the other's world, you should explore your soul first" - Dhalai Lama a. P.S. This test is for personal use only, and should not be used with commercial purposes.
• Attachment: Faith.scr

• Subject: Kefche.com
• Body: Ekiput na Kefche.com ima radostta da pozdravi vsichki fenove na Kefcheto s 1-ta godishnina ot puskaneto na site-a. Nie se prevurnahme v nai-dobriq i poseshtavan bg site za zabavleniq i igri. Ot samoto si nachalo Kefche.com ima za cel da vi nosi samo i edinstveno smqh i zabava, nadqvame se che sme postignali celite si :)) Po sluchai godishninata, ekiput ni poe iniciativata da izprashta vsqka sedmica nai-dobrite flash-cheta i igrichki na vsichki user-i poseshtavashti Kefche-to. Nadqvame se da vi haresa i tova da bude samo nachaloto na edno novo zabavlenie :))
  -----------------
  Kefche.com Team.

• Subject: Preotkrii sebe si
• Body: Zdravei, ako si poluchil tova pismo znachi nqkoi priqtel ti go e pratil. Celta na pismoto e da ti pomogne da razberesh koi si vsushnost. Originalnata ideq e na Dalai Lama i tova e nein interaktiven variant. Predi da otvorite test-a si namislete edno jelanie, otgovorete na 5-te vuprosa i sled kato poluchite jelanite otgovori shte poluchite edno chislo. Za da vi se izpulni jelanieto trqbva da pratite tova pis mo na tolkova priqteli. Testa se pravi samo vednuj, poneje sled tova nqma da poluchite obektivna ocenka. "Za da navlezem v sveta na drugite, purvo trqbva da budem nqsno sys sebe si" - Dalai Lama. P.S. Tozi test e samo za lichna upotreba, i ne biva da bude izpolzvan za kakvito i da bili komersialni celi.
• Attachment: Faith.scr

• Subject: [infected user name] sent you a Yahoo! Greeting
• Body: Surprise! You've just received a Yahoo! Greeting from [infected user name] This is an interactive greeting card and requires Flash Media Player. Enjoy! The Yahoo! Greetings Team.
  -----------------
  Yahoo! Greetings is a free service. If you'd like to send someone a Yahoo! Greeting, you can do so at http://greetings.yahoo.com
• Attachment: Yahoo!Winter.scr

• Subject: Yahoo! Games
• Body: Yahoo! Team is proud to present our new surprise for clients of Yahoo! and Yahoo! Mail. We plan to send you the best Yahoo! Games weekly. This new service is free and it's a gift for the 10th anniversary of Yahoo!. We hope that you would like it. The whole Yahoo! Team want to express our gratitude to you, the people who help us to improve Yahoo! so much, that it became the most popular worldwide portal. Thank You! We do our best to serve you.
  -------------
  Yahoo! Team. www.Yahoo.com
• Attachment: Yahoo!Baseball.scr

• Subject: MiamiGirls.com Free Subscription
• Body: On the occasion of it's 3th anniversary MiamiGirls.com wants to offer you even more pleasure than before. There are several new promotions and if you are interested you can watch the free demo and subsequently contact our web page. If you join now, the first month of your membership will be free. Thousands of hot teen pics and videos are available for you. Image Galleries, Cumshots, LiveCams, Hot Video Chat, Erotic Stories, XXX Lessons, Kama Sutra, Celebrities.. We provide t he best services for our members. This site contains adult material that is unsuitable for those under the age of 18.
  ------------------------
  www.MiamiGirls.com
• Attachment: FreeTour.scr

Display of "error" message"
Upon executing the virus, the following fake error message is displayed:

Title: Source
Message: Filename is not a valid Win32 application.
or
Title: WinZip Self-Extractor License Confirmation
Message: Your version of WinZip Self-Extractor is not licensed, or the license information is missing or corrupted. Please contact the program vendor or the web site (www.WinZip.com) for additional information.
or
Title: Error Starting Program
Message: The filename file expects a newer version of Windows. Upgrade your Windows version.
or
Title: Cannot open file: it does not appear to be a valid program
Message: If you downloaded this file, try downloading file again.

System effects
The virus will drop many copies of itself by taking on an existing folder name and appending 16, 32, Sys, or 98 to the end of it. For example:

• C:\Program Files\Online Services = C:\Program Files\Online Services\Online Services 98.exe

A registry run key is then created for this dropped file:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\Online Services = C:\Program Files\Online Services\Online Services 98.exe

This can occur for any folder within the %Program Files% folder. In a similar fashion the virus grabs the name of a DLL file within the WINDOWS SYSTEM (%SysDir%) folder, copies itself with a similar name and creates a WIN.INI run key for that file:

• run=C:\WINDOWS\SYSTEM\MSPRINT 98.exe

This virus hooks the following registry key:

• HKEY_CLASSES_ROOT\exefile\shell\open\
  command c:\[windows directory]\[random file name].exe "%1" %*

This will cause the virus to execute on opening any .exe file.

The worm copies itself as a [random file name].exe in the Windows directory and modifies the registry setting:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\Run,Load, or Start followed by Profile, System, or Agent ="[random file name] powprof.dll,LoadCurrentUserProfile"

Peer-to-peer propagation
The virus may also drop the following files on accessible network shares, and in the KaZaa shared folder, filenames are built with a combination of the following strings:

• (Cracked) PcDudes
• (Eng)
• (Rated)
• (sHow)
• (zip)
• _v1.1 BoxDave_
• 2.3
• 3.0
• 3D
• 7.1 FULL
• ACDSee
• Anal Explorer
• Angel3D_
• BabyBlue
• Britney Suxx
• BritneyUltimate
• Chess
• Chess
• ClubExtreme
• Counter Strike 1.5 (Hackz)_
• DivX 5.5 Bundle_
• DMX tHeMe
• Download Accelerator 5.5_
• Dreamweaver_MX_Update_
• Elfbowl
• EminemDesktop
• Fishfood
• Gipsy
• Goggles
• GTA 3 Bonus Cars(part1)_
• Hot Blondies
• Iguana
• install_en_
• Inter012_
• Inter013_
• KamaSutra
• KaZaA Media Desktop v2.2_
• LaFemmeNikita
• Lolita
• Madonna Desktop
• MeGa HACK
• mTV_Charts_ (sHow)
• mTV_Charts_ 3.3
• Nero Burning Rom 5.7.0.1_ cRedit_CarDs_gEn
• NFS HP Bonus Cars_
• Pam Anderson Theme
• Pamela 3D_
• Pamela3D_
• PcDudes
• RedEyez
• Serials 2K 7.2 (by NTeam)_
• Serials2002_8.0(17.08.02)_
• SexSpy
• Sexy Teens Desktop
• snowball_fight_
• sound_brake_
• Story015_
• Story017_
• Strip Kournikova (sHow)
• Teen Sex Cam
• v4.5
• v5.5
• VirtualRape
• WinAmp_3.2_Cool_
• WinZip 8.2_
• WWF_The_ROCK
• Zip Password Recovery

The worm may drop an AUTORUN.INF file on remote mapped drives, to automatically execute the virus upon connecting to that drive.

IRC functions
The virus will overwrite MIRC files (mirc.ini, remotes.ini, controls.ini, versions.ini, notes.ini, url.ini, version.ini) to create an IRC bot. This bot allows a remote attacker to use the compromised system to perform various functions, such as:

• Log on to IRC channels
• Upload/download files
• Initiate a Denial of Service attack
• Access websites
• Mass-mail the worm via SMTP

Note: When issues the mass-mailing command via the mIRC bot, the worm will exploit the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability (MS01-020) in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2). This will result in the virus getting executed from simply viewing the email message with a vulnerable Outlook client. Gateway scanners will detect samples using this exploit as Exploit-MIME.gen. or Exploit-MIME.gen.exe with the 4213 DATs (or higher).

Program killer payload
The virus may close windows, whose title contains any of the following strings:

• black
• panda
• shield
• guard
• scan
• mcafee
• nai_vs_stat
• iomon
• navap
• avp
• alarm
• f-prot
• secure
• labs
• antivir

It will also search for folders and subfolders that contain any of the following strings and delete these and files within:

• "virus" and "norton"
• "ice" and "black"
• pc
• cillin
• mcafee
• "labs" and "zone"
• guard
• worm
• antivir
• secure
• f-prot
• fprot
• kaspers
• avp
• panda
• conseal
• firewall
• esafe
• lockdown
• antivirus
• fsecure

Symptoms

Symptoms -

The worm drops several files most with random file names. The following files are not random:

• Cmddrv.dll
• Faith.ini

Method of Infection

Method of Infection -

This worm arrives via KaZaa, email, or IRC. Executing an infected file infects the local system. It also spreads via accessible network shares and appends executable files.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A