McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Roron

• W32.HLLW.Oror.B@mm (Symantec)

• WORM_OROR.B (Trend)

Characteristics

This is a mass-mailing worm that also spreads via mIRC, KaZaa, network shares, and mapped drives. It can utilize both SMTP and MAPI messaging. The virus also drops a mIRC bot script and will also close windows and deletes certain security software files and firewall programs. Upon executing the virus, the following fake error message is displayed:

The virus may arrive in an email message containing the following random information:

Subject:

• HeY
• ZzZz
• Bla Bla
• HoWie
• Happy
• Hi Again
• Wow
• Hi
• Hello
• Hey Ya
• Boom
• Hi There Zdrasti
• Zdr Otnovo
• Ohoo
• Ei dupe
• Pisamce
• TinKi WinKy
• ZzZz
• Bla Bla
• Hey
• Privet
• Boom

Followed by one of the following strings:

• ..
• !!
• :)
• ;))
• :pPpP
• ~pPp
• :>
• !
• ;)

Body:

• Hello :)) How are you? Do you remember me? I hope so :)) I've just watched Tomcats, it's marvellous :pP. The summer vacation is over and this is quite unpleasent :(( I have a lot to tell you about, later.. You can't guess what I've found.. A working Credit Card generator :))) I purchased a bride from Russia yesterday :) LoL.. I gave a fake address of course :))) Don't go too far and watch out :)) I'll be very happy if you write to me soon :))) Bye..
• Hey :) Wasupp ~Pp I wanted to write you a letter, but i didn't know what to talk about actually :) Have you ever done an IQ test?I've just scored 120 points :) I'm not sure if this good or bad is, but who cares :) Have you visited %s :) Finally, how are you:) I'll be very happy if you send me 1,2 funny cards :)) bye! :)
• Hi again :)) Where are you? Don't you chat any more? I haven't seen you so long :)) Well, I've got a lot to tell you about. The Summer vacation was too good to be true. Beach, disco's, friends.. Unfortunately, it's Winter now and the temperatures here are very low. I was ill almost 2 weeks. Quite unpleasant :(( Have you visited %s, a little bit strange, but nice :)) Finally, how are you? Write to me :)) Byeee :pP
• Hi again :)) Where are you? Don't you chat any more? I haven't seen you so long.. Well, I've got a lot to tell you about. The Summer vacation was too good to be true. Beach, disco's, friends.. Unfortunately, it's Winter now and the temperatures here are very low. I was ill almost 2 weeks. Quite unpleasant :(( Let's talk about you :) Are you oK? Are you in love :)) I sent you a surprise :)) There are cool thoughts, especially about love. It's nice. I'm a little bit bored of these stupid computers, but I'm waiting for the reply :)) Bye!
• Hey :) Wasupp ~Pp I wanted to write you a letter, but i didn't know what to talk about actually :) Have you ever done an IQ test, i've just scored 120 points :) I'm not sure if this is good or bad, who cares :) Have you visited %s :) Finally, how are you:) i'll be very happy if you send me 1,2 funny cards :)))) bye! :)
• Zdrasti, ko staa :))) Baq vreme ne sme se chuvali. Beshe mi skuchno i si vikam shto da ne napisha nqkoi drugo pismo :)) Sq i tva daskalo i napravo ujas, ne sa jivee :) Ti ostai drugoto ami i e studeno.. ~PpPp. Dano idva vakanciqta po skoro :)) Pishi neshto interesno, kak q karash, neshto novo ima li :) Pratih ti onva deto obeshtah, qko a :)) Aide i chakam..
• Ekiput na Kefche.com ima radostta da pozdravi vsichki fenove na Kefcheto s 1-ta godishnina ot puskaneto na site-a. Nie se prevurnahme v nai-dobriq i poseshtavan bg site za zabavleniq i igri. Ot samoto si nachalo Kefche.com ima za cel da vi nosi samo i edinstveno smqh i zabava, nadqvame se che sme postignali celite si :)) Po sluchai godishninata, ekiput ni poe iniciativata da izprashta vsqka sedmica nai-dobrite flash-cheta i igrichki na vsichki user-i poseshtavashti Kefche-to. Nadqvame se da vi haresa i tova da bude samo nachaloto na edno novo zabavlenie :))
  -----------------
  Kefche.com Team.

The virus may also send out emails that are not constructed with random strings. The following emails may be sent:

• Subject: Yahoo! Toolbar
• Body: Yahoo! Team is proud to present our new surprise for clients of Yahoo! and Yahoo! Mail. Yahoo! Toolbar is an innovative technology, which helps you to access Yahoo! Services easier than ever. It is free and is a gift for the 5th anniversary of Yahoo!. We hope that you would like it. The whole Yahoo! Team want to express our gratitude to you, the people who help us to improve Yahoo! so much, that it became the most popular worldwide portal. Thank You! We do our best to serve you.
  -------------
  Yahoo! Team. www.Yahoo.com
• Attachment: Yahoo!Toolbar.exe

• Subject: Virus Alert
• Body: McAfee Antivirus warns about a new virus, called W32.Roro@mm. It is a high risk worm and it's using IRC and internet pages to infect computers. The virus deletes movies, music and system files. Due to the significant increase of infected users, Microsoft Corporation, with the collaboration of McAfee Antivirus, supports clients of Microsoft Windows with à patch, which fixes a bug in Internet Explorer 5.5 or minor versions. This bug allows internet pages to grant access to local resources of visitors.
  ----------------
  McAfee Antivirus www.McAfee.com
• Attachment: IE_0276_Setup.exe

• Subject:
• Body: Hello, WinAmp User. WinAmp Team is proud to present our new surprise for users of WinAmp. WinAmp 3.0 Final has been just released and we believe that it will be the player you've ever dreamed about. We plan to start a new tradition, sending the best skin or add-on to our users every week. This new service is free andwe hope that you would like it. Everyone can offer us suggestions. We do our best to serve you.
  ----------------
  WinAmp Team
• Attachment: Iguana1.0_skin.exe

• Subject: Blondes Forever
• Body:
• Hey, whatz up :)) Where are you? Don't you chat any more? I haven't seen you so long. Read this :)) - What do blondes wear behind their ears to attract men? Their ankles!! - Why did god invent the female orgasm? So blondes know when to stop screwing!! - What is a blond with hair black colored? Artificial intelligence! Blondes forever!! :) Time off, i must go now, but i'll be very happy if you write to me soon :) Bye bye :))
• Attachment: Blondes.exe

• Subject: Vajno
• Body:
• Panda Antivirus preduprejdava za nalichieto na nov virus v internet, narechen W32.Roro@mm. Razprostranqva se predimno po IRC i chrez zarazeni internet stranici. Sled zarazqvaneto toi iztriva mp3-ki, filmi i dokumenti. Poradi golemiq broi zarazeni bulgari prez poslednite nqkolko dena, Panda Antivirus zapochna razprostranenieto na patch, koito opravq bug v Internet Explorer 5.5 i minali versii, pozvolqvasht na stranici sas zlovredno sudurjanie da izpulnqvat komandi vurhu posetitelite. Druga nasha preporuka e ako ste veche zarazeni da ne opitvate da mahate virusa ruchno, a samo s antivirusna programa, poneje pri neuspeshen opit za premahvane W32.Roro iztriva razlichni vidove failove na operacionnata sistema.
  ------------------
  Panda Antivirus, Bulgariali
• Attachment: IE50_032_Setup.exe

• Subject: Microsoft Bulgaria
• Body: Blagodarenie na dulgogodishnite tradicii na Microsoft v Bulgaria i dobrata i suvestna rabota na vsichki neini podchineni, mojem nai-nakraq da pozdravim bulgarskiq potrebitel s prevod na Internet Explorer na bulgarski. Tova e edno uspeshno produljenie na iniciativata za prevejdane na Ms Office 2000 ® na rodniq ni ezik. Update-a e bezplaten i e podaruk po sluchai 10 godishninata na Microsoft v Bulgaria. Nadqvame se bulgarskite potrebiteli da ostanat dovolni, koeto shte bude nai-golemiq podaruk za nas.
  ---------------------
  Microsoft, Bulgaria.
• Attachment: IE_0274_bg.exe

• Subject: [infected user name] sent you a Yahoo! Greeting
• Body: Surprise! You've just received a Yahoo! Greeting from [infected user name] This is an interactive greeting card and requires Flash Media Player. Enjoy! The Yahoo! Greetings Team.
  -----------------
  Yahoo! Greetings is a free service. If you'd like to send someone a Yahoo! Greeting, you can do so at http://greetings.yahoo.com
• Attachment: Yahoo!Tomcats.exe

• Subject: Yahoo! Games
• Body: Yahoo! Team is proud to present our new surprise for clients of Yahoo! and Yahoo! Mail. We plan to send you the best Yahoo! Games weekly. This new service is free and it's a gift for the 5th anniversary of Yahoo!. We hope that you would like it. The whole Yahoo! Team want to express our gratitude to you, the people who help us to improve Yahoo! so much, that it became the most popular worldwide portal. Thank You! We do our best to serve you.
  -------------
  Yahoo! Team. www.Yahoo.com
• Attachment: Yahoo!Chess.exe

It may add the following strings at end of the email:

• P.S. Have you visited [infected website] :) Co0l :))
• P.S. Be happy, don't worry ~pPp. Check this - [infected website] Cool :))
• P.S. Bqgai na %s mnoo zdravo flash4e ima :pP
• P.S. Hvarli edno oko na %s :))

The virus may also drop the following files in the KaZaa shared folder:

• KaZaA Media Desktop v2.0.8_.exe
• Serials 2K 7.2 (by SNTeam)_.exe
• Serials2002_8.0(17.08.02)_.exe
• Dreamweaver_5.0_Patch_.exe
• ACDSee.exe
• WinAmp_3.2_Cool_.exe
• Download Accelerator 5.5_.exe
• Nero Burning Rom 5.6.0.3_ cRedit_CarDs_gEn.exe
• MeGa HACK.exe
• Zip Password Recovery.exe
• GTA 3 Bonus Cars(part1)_.exe
• EminemDesktop.exe
• DMX tHeMe .exe
• NFS 5 Bonus Cars_.exe
• Counter Strike 1.5 (Editor)_.exe
• Madonna Desktop .exe
• WinZip 8.2_.exe
• DivX 5.4 Bundle_.exe

The virus will drop many copies of itself by taking on an existing folder name and appending 16, 32, or 98 to the end of it. For example:

• C:\Program Files\Online Services = C:\Program Files\Online Services\Online Services 98.exe

A registry run key is then created for this dropped file:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\Online Services = C:\Program Files\Online Services\Online Services 98.exe

This can occur for any folder within the %Program Files% folder. In a similar fashion the virus grabs the name of a DLL file within the WINDOWS SYSTEM (%SysDir%) folder, copies itself with a similar name and creates a WIN.INI run key for that file:

• run=C:\WINDOWS\SYSTEM\MSPRINT 98.exe

The virus will overwrite MIRC files (mirc.ini, remotes.ini, controls.ini, versions.ini, notes.ini, url.ini, version.ini) to create an IRC bot. This bot allows a remote attacker to use the compromised system to perform various functions, such as:

• Log on to IRC channels
• Upload/download files
• Initiate a Denial of Service attack
• Access websites
• Mass-mail the worm via SMTP

Note: When issues the mass-mailing command via the mIRC bot, the worm will exploit the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability (MS01-020) in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2). This will result in the virus getting executed from simply viewing the email message with a vulnerable Outlook client. Gateway scanners will detect samples using this exploit as Exploit-MIME.gen. or Exploit-MIME.gen.exe with the 4213 DATs (or higher).

W32/Oror.e@MM copies itself as a [random file name].exe in the Windows directory and modifies the registry setting:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\LoadCurrentProfile ="[random file name]

powprof.dll,LoadCurrentUserProfile"

This virus hooks the following registry key:

• HKEY_CLASSES_ROOT\exefile\shell\open\
  command c:\[windows directory]\[random file name].exe "%1" %*

This will cause the virus to execute on opening any .exe file.

The virus may close windows, whose title contains any of the following strings:

• black
• panda
• shield
• guard
• scan
• mcafee
• nai_vs_stat
• iomon
• navap
• avp
• alarm
• f-prot
• secure
• labs
• antivir

It will also search for folders and subfolders that contain any of the following strings and delete these and files within:

• "virus" and "norton"
• "ice" and "black"
• pc
• cillin
• mcafee
• "labs" and "zone"
• guard
• worm
• antivir
• secure
• f-prot
• kaspers
• avp
• panda
• conseal

Symptoms

The presence of the aforementioned files.

Method of Infection

This worm arrives via KaZaa, email, or IRC. Executing an infected file infects the local system.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Roron

• W32.HLLW.Oror.B@mm (Symantec)

• WORM_OROR.B (Trend)

Characteristics

Characteristics -

This is a mass-mailing worm that also spreads via mIRC, KaZaa, network shares, and mapped drives. It can utilize both SMTP and MAPI messaging. The virus also drops a mIRC bot script and will also close windows and deletes certain security software files and firewall programs. Upon executing the virus, the following fake error message is displayed:

The virus may arrive in an email message containing the following random information:

Subject:

• HeY
• ZzZz
• Bla Bla
• HoWie
• Happy
• Hi Again
• Wow
• Hi
• Hello
• Hey Ya
• Boom
• Hi There Zdrasti
• Zdr Otnovo
• Ohoo
• Ei dupe
• Pisamce
• TinKi WinKy
• ZzZz
• Bla Bla
• Hey
• Privet
• Boom

Followed by one of the following strings:

• ..
• !!
• :)
• ;))
• :pPpP
• ~pPp
• :>
• !
• ;)

Body:

• Hello :)) How are you? Do you remember me? I hope so :)) I've just watched Tomcats, it's marvellous :pP. The summer vacation is over and this is quite unpleasent :(( I have a lot to tell you about, later.. You can't guess what I've found.. A working Credit Card generator :))) I purchased a bride from Russia yesterday :) LoL.. I gave a fake address of course :))) Don't go too far and watch out :)) I'll be very happy if you write to me soon :))) Bye..
• Hey :) Wasupp ~Pp I wanted to write you a letter, but i didn't know what to talk about actually :) Have you ever done an IQ test?I've just scored 120 points :) I'm not sure if this good or bad is, but who cares :) Have you visited %s :) Finally, how are you:) I'll be very happy if you send me 1,2 funny cards :)) bye! :)
• Hi again :)) Where are you? Don't you chat any more? I haven't seen you so long :)) Well, I've got a lot to tell you about. The Summer vacation was too good to be true. Beach, disco's, friends.. Unfortunately, it's Winter now and the temperatures here are very low. I was ill almost 2 weeks. Quite unpleasant :(( Have you visited %s, a little bit strange, but nice :)) Finally, how are you? Write to me :)) Byeee :pP
• Hi again :)) Where are you? Don't you chat any more? I haven't seen you so long.. Well, I've got a lot to tell you about. The Summer vacation was too good to be true. Beach, disco's, friends.. Unfortunately, it's Winter now and the temperatures here are very low. I was ill almost 2 weeks. Quite unpleasant :(( Let's talk about you :) Are you oK? Are you in love :)) I sent you a surprise :)) There are cool thoughts, especially about love. It's nice. I'm a little bit bored of these stupid computers, but I'm waiting for the reply :)) Bye!
• Hey :) Wasupp ~Pp I wanted to write you a letter, but i didn't know what to talk about actually :) Have you ever done an IQ test, i've just scored 120 points :) I'm not sure if this is good or bad, who cares :) Have you visited %s :) Finally, how are you:) i'll be very happy if you send me 1,2 funny cards :)))) bye! :)
• Zdrasti, ko staa :))) Baq vreme ne sme se chuvali. Beshe mi skuchno i si vikam shto da ne napisha nqkoi drugo pismo :)) Sq i tva daskalo i napravo ujas, ne sa jivee :) Ti ostai drugoto ami i e studeno.. ~PpPp. Dano idva vakanciqta po skoro :)) Pishi neshto interesno, kak q karash, neshto novo ima li :) Pratih ti onva deto obeshtah, qko a :)) Aide i chakam..
• Ekiput na Kefche.com ima radostta da pozdravi vsichki fenove na Kefcheto s 1-ta godishnina ot puskaneto na site-a. Nie se prevurnahme v nai-dobriq i poseshtavan bg site za zabavleniq i igri. Ot samoto si nachalo Kefche.com ima za cel da vi nosi samo i edinstveno smqh i zabava, nadqvame se che sme postignali celite si :)) Po sluchai godishninata, ekiput ni poe iniciativata da izprashta vsqka sedmica nai-dobrite flash-cheta i igrichki na vsichki user-i poseshtavashti Kefche-to. Nadqvame se da vi haresa i tova da bude samo nachaloto na edno novo zabavlenie :))
  -----------------
  Kefche.com Team.

The virus may also send out emails that are not constructed with random strings. The following emails may be sent:

• Subject: Yahoo! Toolbar
• Body: Yahoo! Team is proud to present our new surprise for clients of Yahoo! and Yahoo! Mail. Yahoo! Toolbar is an innovative technology, which helps you to access Yahoo! Services easier than ever. It is free and is a gift for the 5th anniversary of Yahoo!. We hope that you would like it. The whole Yahoo! Team want to express our gratitude to you, the people who help us to improve Yahoo! so much, that it became the most popular worldwide portal. Thank You! We do our best to serve you.
  -------------
  Yahoo! Team. www.Yahoo.com
• Attachment: Yahoo!Toolbar.exe

• Subject: Virus Alert
• Body: McAfee Antivirus warns about a new virus, called W32.Roro@mm. It is a high risk worm and it's using IRC and internet pages to infect computers. The virus deletes movies, music and system files. Due to the significant increase of infected users, Microsoft Corporation, with the collaboration of McAfee Antivirus, supports clients of Microsoft Windows with à patch, which fixes a bug in Internet Explorer 5.5 or minor versions. This bug allows internet pages to grant access to local resources of visitors.
  ----------------
  McAfee Antivirus www.McAfee.com
• Attachment: IE_0276_Setup.exe

• Subject:
• Body: Hello, WinAmp User. WinAmp Team is proud to present our new surprise for users of WinAmp. WinAmp 3.0 Final has been just released and we believe that it will be the player you've ever dreamed about. We plan to start a new tradition, sending the best skin or add-on to our users every week. This new service is free andwe hope that you would like it. Everyone can offer us suggestions. We do our best to serve you.
  ----------------
  WinAmp Team
• Attachment: Iguana1.0_skin.exe

• Subject: Blondes Forever
• Body:
• Hey, whatz up :)) Where are you? Don't you chat any more? I haven't seen you so long. Read this :)) - What do blondes wear behind their ears to attract men? Their ankles!! - Why did god invent the female orgasm? So blondes know when to stop screwing!! - What is a blond with hair black colored? Artificial intelligence! Blondes forever!! :) Time off, i must go now, but i'll be very happy if you write to me soon :) Bye bye :))
• Attachment: Blondes.exe

• Subject: Vajno
• Body:
• Panda Antivirus preduprejdava za nalichieto na nov virus v internet, narechen W32.Roro@mm. Razprostranqva se predimno po IRC i chrez zarazeni internet stranici. Sled zarazqvaneto toi iztriva mp3-ki, filmi i dokumenti. Poradi golemiq broi zarazeni bulgari prez poslednite nqkolko dena, Panda Antivirus zapochna razprostranenieto na patch, koito opravq bug v Internet Explorer 5.5 i minali versii, pozvolqvasht na stranici sas zlovredno sudurjanie da izpulnqvat komandi vurhu posetitelite. Druga nasha preporuka e ako ste veche zarazeni da ne opitvate da mahate virusa ruchno, a samo s antivirusna programa, poneje pri neuspeshen opit za premahvane W32.Roro iztriva razlichni vidove failove na operacionnata sistema.
  ------------------
  Panda Antivirus, Bulgariali
• Attachment: IE50_032_Setup.exe

• Subject: Microsoft Bulgaria
• Body: Blagodarenie na dulgogodishnite tradicii na Microsoft v Bulgaria i dobrata i suvestna rabota na vsichki neini podchineni, mojem nai-nakraq da pozdravim bulgarskiq potrebitel s prevod na Internet Explorer na bulgarski. Tova e edno uspeshno produljenie na iniciativata za prevejdane na Ms Office 2000 ® na rodniq ni ezik. Update-a e bezplaten i e podaruk po sluchai 10 godishninata na Microsoft v Bulgaria. Nadqvame se bulgarskite potrebiteli da ostanat dovolni, koeto shte bude nai-golemiq podaruk za nas.
  ---------------------
  Microsoft, Bulgaria.
• Attachment: IE_0274_bg.exe

• Subject: [infected user name] sent you a Yahoo! Greeting
• Body: Surprise! You've just received a Yahoo! Greeting from [infected user name] This is an interactive greeting card and requires Flash Media Player. Enjoy! The Yahoo! Greetings Team.
  -----------------
  Yahoo! Greetings is a free service. If you'd like to send someone a Yahoo! Greeting, you can do so at http://greetings.yahoo.com
• Attachment: Yahoo!Tomcats.exe

• Subject: Yahoo! Games
• Body: Yahoo! Team is proud to present our new surprise for clients of Yahoo! and Yahoo! Mail. We plan to send you the best Yahoo! Games weekly. This new service is free and it's a gift for the 5th anniversary of Yahoo!. We hope that you would like it. The whole Yahoo! Team want to express our gratitude to you, the people who help us to improve Yahoo! so much, that it became the most popular worldwide portal. Thank You! We do our best to serve you.
  -------------
  Yahoo! Team. www.Yahoo.com
• Attachment: Yahoo!Chess.exe

It may add the following strings at end of the email:

• P.S. Have you visited [infected website] :) Co0l :))
• P.S. Be happy, don't worry ~pPp. Check this - [infected website] Cool :))
• P.S. Bqgai na %s mnoo zdravo flash4e ima :pP
• P.S. Hvarli edno oko na %s :))

The virus may also drop the following files in the KaZaa shared folder:

• KaZaA Media Desktop v2.0.8_.exe
• Serials 2K 7.2 (by SNTeam)_.exe
• Serials2002_8.0(17.08.02)_.exe
• Dreamweaver_5.0_Patch_.exe
• ACDSee.exe
• WinAmp_3.2_Cool_.exe
• Download Accelerator 5.5_.exe
• Nero Burning Rom 5.6.0.3_ cRedit_CarDs_gEn.exe
• MeGa HACK.exe
• Zip Password Recovery.exe
• GTA 3 Bonus Cars(part1)_.exe
• EminemDesktop.exe
• DMX tHeMe .exe
• NFS 5 Bonus Cars_.exe
• Counter Strike 1.5 (Editor)_.exe
• Madonna Desktop .exe
• WinZip 8.2_.exe
• DivX 5.4 Bundle_.exe

The virus will drop many copies of itself by taking on an existing folder name and appending 16, 32, or 98 to the end of it. For example:

• C:\Program Files\Online Services = C:\Program Files\Online Services\Online Services 98.exe

A registry run key is then created for this dropped file:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\Online Services = C:\Program Files\Online Services\Online Services 98.exe

This can occur for any folder within the %Program Files% folder. In a similar fashion the virus grabs the name of a DLL file within the WINDOWS SYSTEM (%SysDir%) folder, copies itself with a similar name and creates a WIN.INI run key for that file:

• run=C:\WINDOWS\SYSTEM\MSPRINT 98.exe

The virus will overwrite MIRC files (mirc.ini, remotes.ini, controls.ini, versions.ini, notes.ini, url.ini, version.ini) to create an IRC bot. This bot allows a remote attacker to use the compromised system to perform various functions, such as:

• Log on to IRC channels
• Upload/download files
• Initiate a Denial of Service attack
• Access websites
• Mass-mail the worm via SMTP

Note: When issues the mass-mailing command via the mIRC bot, the worm will exploit the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability (MS01-020) in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2). This will result in the virus getting executed from simply viewing the email message with a vulnerable Outlook client. Gateway scanners will detect samples using this exploit as Exploit-MIME.gen. or Exploit-MIME.gen.exe with the 4213 DATs (or higher).

W32/Oror.e@MM copies itself as a [random file name].exe in the Windows directory and modifies the registry setting:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\LoadCurrentProfile ="[random file name]

powprof.dll,LoadCurrentUserProfile"

This virus hooks the following registry key:

• HKEY_CLASSES_ROOT\exefile\shell\open\
  command c:\[windows directory]\[random file name].exe "%1" %*

This will cause the virus to execute on opening any .exe file.

The virus may close windows, whose title contains any of the following strings:

• black
• panda
• shield
• guard
• scan
• mcafee
• nai_vs_stat
• iomon
• navap
• avp
• alarm
• f-prot
• secure
• labs
• antivir

It will also search for folders and subfolders that contain any of the following strings and delete these and files within:

• "virus" and "norton"
• "ice" and "black"
• pc
• cillin
• mcafee
• "labs" and "zone"
• guard
• worm
• antivir
• secure
• f-prot
• kaspers
• avp
• panda
• conseal

Symptoms

Symptoms -

The presence of the aforementioned files.

Method of Infection

Method of Infection -

This worm arrives via KaZaa, email, or IRC. Executing an infected file infects the local system.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A