W32/Oror.B@mm
Analysis
- Virus is 32bit and was coded using Visual C++
- Virus has a size of 106,496 bytes
- When virus is executed, it copies itself into the Windows folder as Rundll16.exe
- The virus locates a random folder within the "Program
Files" folder, and creates a file within that
folder by the same folder name, with an appended two
digit number - the number is either 2K, 32 or 16,
as in this example -
Program Files\Online Services\Online Services16.exe
- The virus seeks the Windows folder and then modifies
the MSDOS.SYS file with the details by adding a key
to the configuration file as in this example -
[Paths]
Win=C:\WINDOWS - The virus attempts to shut down some firewall or
security software - the virus seeks any visible or
non-visible window which may have the following strings
-
alarm, agent, msie, navap, mstask, webcheck, iomon, nai_vs_stat, scan, shield
- The virus then searches within the "Program
Files" folder and searches for folders which
may have names matching one of the following partial
strings, and if found, deletes files within that folder,
where "*" is a wildcard character -
norton*virus
black*ice
pc*cillin
mc*afee
zone*labs
worm*guard
f-secure*antivir
f-prot
avp*kaspers
panda - The virus copies itself to the Windows\System folder as a random file name, then modifies the WIN.INI file to load the virus at Windows startup by modifying the "Run=" value
- Virus modifies the registry to load itself when
any EXE file is executed -
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default)=C:\Windows\Rundll16.exe "undefined1" undefined* - Normally, the registry key data is the following
-
(Default)="undefined1" undefined*
- Virus modifies the registry to load itself when
a Registry file is opened -
HKEY_CLASSES_ROOT\regfile\shell\open\command
(Default)=C:\Windows\Rundll16.exe regedit.exe "undefined1" - Normally, the registry key data is the following
-
(Default)=regedit.exe "undefined1"
- Virus modifies the registry by creating two keys
to load itself when Windows starts -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\LoadCurrentProfile=
Rundll16.exe powprof.dll,LoadCurrentUserProfileOnline Services=
C:\Program Files\Online Services\Online Services16.exe - Virus Attempts to connect to other drives and writes
itself as one of the file names below:
Kama Sutra.exe, GiRlZ FoReVeR (Wow).exe, Nikita v1.1 (Zip).exe,
Pamela Anderson (Porno Installation).exe, Britney Spears Naked.exe,
Teen Sex Cam.exe, Kurnikova Screensaver (6+).exe, CrEdIt CaRdZ gEn.exe, SeX.eXe, Faith.exe - ...and writes a file "Autorun.inf" with instructions to execute the file written.
- Virus contains code to manipulate mIRC clients to
connect to one of the following IRC servers -
irc.omega.bg, irc.otel.net, irc.prolink.bg, irc.spnet.net, irc.techno-link.com, irc.telecoms.bg, irc.ttm.bg, irc.tu-varna.edu, irc.unibg.org, irc.vega.bg, irc.evko.com, irc.exco.net, irc.hot.bg, irc.itdnet.net, irc.lirex.com, irc.lt-tech.net, irc.naturella.com, irc.nbu.bg, irc.netel.bg, irc.asenovgrad.net, irc.bgbest.net, irc.bia-bg.com, irc.bitex.com, irc.bourgas.net, irc.chatbg.net, irc.comnet.bg, irc.dobrich.net
- Additionally, the virus modifies the MIRC.INI file to make the client as a bot, awaiting instructions from the controller or hacker
- The virus captures cached network passwords and attempts to email them to the author
- Virus may scavenge the system for email addresses
in order to create a list of targets and send itself
to them - the email message will be constructed using
a table of possible subject lines and message bodies
- the content varies between English or Bulgarian
text, as in these examples -
Body (example 1):
There is a very dangerous virus circulating in the net. It's called RoRo and it's using IRC to infect computers. This virus deletes movies, music and corrupt your windows installation. To prevent from infecting, install McAfee Anti-Script 2002. It's a 30-days demoBody (example 2):
Hi, kak e :) ko si praikash? az si slusham muzichka - ATC i Mortal Kombat Soundtrack - Varhovni sa, napravo izbuhnah :))) Drapnah si gi ot neta s taq programka - ima 200 kubriliona klasacii :) Naposledak muzikata e edno ot malkoto mi udovolstviq.P.S. Obezatelno si drapni ATC - Why oh why.mp3 :)).Chao, doskoro!!Body (example 3):
Zdravei, zdrasti, dai pari za pasti :)) Ko praish? Za teb neznam ama v momenta se chustvam mnoo qko i reshih da ti pisha :) Kolko ti e rekorda na minichkite? Toku shto na Expert razminirah za 2 minuti :))) Ei sq smqtam da si vzema nqkoi qk film i da gledam. Hodil li si na undefineds - Mnoo me kefi :)) Za drugo ne se seshtam tai che chao za sega :)) - The file attachment name may vary as well, based
on a table of possible file names.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |