Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Roron.41

W32/Orob.B

Win32/Roron.41 is a worm spreading as an email file attachment.  It spreads in local area networks and via IRC mIRC client.  The worm is compressed by UPX.

Win32/Roron.41 arrives with the message, and the subject is randomly generated.  The text of the body of the message is also randomly generated as well as the name of the file attachment containing the worm.  There are only few cases when the worm uses predefined combinations of the subject, text in the body of the message, and attachment filename.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation.

After the attachment file is run it displays a fake error message and copies itself into the directory %windir%/System (Windows 9x/Me) or %windir%/System32 (Windows NT/XP/2000).  The name of the file is created by adding characters 2k 16 or 32 to the name of the file existing in the given directory.  The worm ensures the activation of this copy by creating an item in the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run pointing to the created copy.

The worm deactivates many resident anti-virus programs or other security programs closing the window with the name matching one of the following strings: black, panda, shield, guard, scan, mcafee, nai_vs_stat, iomon, navap, avp, alarm, f-prot, secure, labs or antivir.

Win32/Roron.41 erases all files from the directories with names matching the strings indicating names of anti-virus programs or firewalls.  The worm is looking for following strings: virus, norton, ice, black, cillin, pc, afee, mc, labs, zone, guard, worm, firewall, esafe, lockdown, conseal, antivir, f-secure, f-prot, kaspers, avp and panda.

The worm spreads in local area networks using shared drives.  If it finds the IRC mIRC client it overwrites the file mirc.ini securing spreading.

NOD32 detects Win32/Roron.41 from the version 1.333.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.