W32/Oror.B@mm

Analysis

• Virus is 32bit and was coded using Visual C++
• Virus has a size of 106,496 bytes
• When virus is executed, it copies itself into the Windows folder as Rundll16.exe
• The virus locates a random folder within the "Program Files" folder, and creates a file within that folder by the same folder name, with an appended two digit number - the number is either 2K, 32 or 16, as in this example -

  Program Files\Online Services\Online Services16.exe

• The virus seeks the Windows folder and then modifies the MSDOS.SYS file with the details by adding a key to the configuration file as in this example -

  [Paths]
  Win=C:\WINDOWS

• The virus attempts to shut down some firewall or security software - the virus seeks any visible or non-visible window which may have the following strings -

  alarm, agent, msie, navap, mstask, webcheck, iomon, nai_vs_stat, scan, shield

• The virus then searches within the "Program Files" folder and searches for folders which may have names matching one of the following partial strings, and if found, deletes files within that folder, where "*" is a wildcard character -

  norton*virus
  black*ice
  pc*cillin
  mc*afee
  zone*labs
  worm*guard
  f-secure*antivir
  f-prot
  avp*kaspers
  panda

• The virus copies itself to the Windows\System folder as a random file name, then modifies the WIN.INI file to load the virus at Windows startup by modifying the "Run=" value
• Virus modifies the registry to load itself when any EXE file is executed -

  HKEY_CLASSES_ROOT\exefile\shell\open\command
  (Default)=C:\Windows\Rundll16.exe "undefined1" undefined*

• Normally, the registry key data is the following -

  (Default)="undefined1" undefined*

• Virus modifies the registry to load itself when a Registry file is opened -

  HKEY_CLASSES_ROOT\regfile\shell\open\command
  (Default)=C:\Windows\Rundll16.exe regedit.exe "undefined1"

• Normally, the registry key data is the following -

  (Default)=regedit.exe "undefined1"

• Virus modifies the registry by creating two keys to load itself when Windows starts -

  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run\

  LoadCurrentProfile=
  Rundll16.exe powprof.dll,LoadCurrentUserProfile

  Online Services=
  C:\Program Files\Online Services\Online Services16.exe

• Virus Attempts to connect to other drives and writes itself as one of the file names below:

  Kama Sutra.exe, GiRlZ FoReVeR (Wow).exe, Nikita v1.1 (Zip).exe,
  Pamela Anderson (Porno Installation).exe, Britney Spears Naked.exe,
  Teen Sex Cam.exe, Kurnikova Screensaver (6+).exe, CrEdIt CaRdZ gEn.exe, SeX.eXe, Faith.exe

• ...and writes a file "Autorun.inf" with instructions to execute the file written.
• Virus contains code to manipulate mIRC clients to connect to one of the following IRC servers -

  irc.omega.bg, irc.otel.net, irc.prolink.bg, irc.spnet.net, irc.techno-link.com, irc.telecoms.bg, irc.ttm.bg, irc.tu-varna.edu, irc.unibg.org, irc.vega.bg, irc.evko.com, irc.exco.net, irc.hot.bg, irc.itdnet.net, irc.lirex.com, irc.lt-tech.net, irc.naturella.com, irc.nbu.bg, irc.netel.bg, irc.asenovgrad.net, irc.bgbest.net, irc.bia-bg.com, irc.bitex.com, irc.bourgas.net, irc.chatbg.net, irc.comnet.bg, irc.dobrich.net

• Additionally, the virus modifies the MIRC.INI file to make the client as a bot, awaiting instructions from the controller or hacker
• The virus captures cached network passwords and attempts to email them to the author
• Virus may scavenge the system for email addresses in order to create a list of targets and send itself to them - the email message will be constructed using a table of possible subject lines and message bodies - the content varies between English or Bulgarian text, as in these examples -

  Body (example 1):
  There is a very dangerous virus circulating in the net. It's called RoRo and it's using IRC to infect computers. This virus deletes movies, music and corrupt your windows installation. To prevent from infecting, install McAfee Anti-Script 2002. It's a 30-days demo

  Body (example 2):
  Hi, kak e :) ko si praikash? az si slusham muzichka - ATC i Mortal Kombat Soundtrack - Varhovni sa, napravo izbuhnah :))) Drapnah si gi ot neta s taq programka - ima 200 kubriliona klasacii :) Naposledak muzikata e edno ot malkoto mi udovolstviq.P.S. Obezatelno si drapni ATC - Why oh why.mp3 :)).Chao, doskoro!!

  Body (example 3):
  Zdravei, zdrasti, dai pari za pasti :)) Ko praish? Za teb neznam ama v momenta se chustvam mnoo qko i reshih da ti pisha :) Kolko ti e rekorda na minichkite? Toku shto na Expert razminirah za 2 minuti :))) Ei sq smqtam da si vzema nqkoi qk film i da gledam. Hodil li si na undefineds - Mnoo me kefi :)) Za drugo ne se seshtam tai che chao za sega :))

• The file attachment name may vary as well, based on a table of possible file names.