Also known as I-Worm.Roron.P, W32/Roro.P, Roro, Roron and Oror, it appeared in the end of 2002 but never became too widespread. Several new versions of the worm have appeared since then.
The worm removes specific anti-virus and security software and prevents its installation. Removing the worm from an infected system can be a challenge, as it has a payload that it can activate when an infected system is being cleaned. The payload deletes all files from all available hard drives in case it's activated. With special software, though, the files can be recovered.
For technical information, visit this F-Secure Web page.
Worm, Trojan Making the Rounds
Also causing a nuisance Friday are HLLP.Gartin.9680, a parasitic DOS virus that is written in a high-level language, such as Pascal, and Trojan.Downloader.Inor, a Trojan horse, according to Symantec.
Trojan.Downloader.Inor attempts to contact a Web site that will determine and then display the language settings of your computer; and it tries to download a file from a certain Web site. When first discovered, Trojan.Downloader.Inor downloaded the Trojan.Qwe file.
Once HLLP.Gartin.9680 is executed, it searches for and infects a small number of files that have an MZ Header, such as the .exe and .dll files. HLLP.Gartin.9680 looks for these files on the root of the A, B, C, and D drives. When HLLP.Gartin.9680 infects a new host file, it copies 9,680 bytes from the beginning of the file to the end, and then replaces the first 9,680 bytes with itself.
If the virus is active in memory, it randomly flashes the Num Lock, Caps Lock, and Scroll Lock LED's of the keyboard.
Symantec has given both the worm and the Trojan a low threat and distribution rating. For more information on HLLP.Gartin.9680, check here.
To learn more about Trojan.Downloader.Inor, visit this page.
Week in Review
Three worms -- Redlof.B, Buffy.D and Oror.Q -- along with a Trojan called Pornspa.F dominated virus activity this week, according to Panda Software.
Redlof.B is a polymorphic worm that rapidly spreads via e-mail, hiding its code in the file that serves as stationary for all the messages the affected user sends through the Outlook mail client.
Its main goal is to infect other computers by copying itself to HTT files, which are used to view system folders as Web pages. The worm automatically runs when a folder is opened. Redlof.B also exploits the vulnerability that affects the VM ActiveX component, which allows a virus to be run when a Web page that contains the viral code is viewed.
The Buffy.D worm is designed to spread through IRC channels and display a message every time an infected computer is restarted. The following files are also created in the hard drive: "BTVS.EXE"; "WINSTART.BAT" and "START.VBS."
Similarly, if the computer has the chat application IRC installed, the worm will modify the file "SCRIPT.INI," so it can spread through this program.
Oror.Q is a dangerous worm that deletes files that belong to antivirus programs and also closes the active processes related to these programs. Although it usually spreads via e-mail, Oror.Q can also spread across the computers connected to a network.
This worm activates when attached file is run, or when the message "carry this worm" is viewed through Outlook's Preview Pane. It does this by exploiting the Exploit/iFrame vulnerability in this mail program. In addition, if the chat application mIRC is installed in the infected computer, Oror.Q will open a communication port, leaving the computer exposed to external attacker.
The Pornspa.F virus is a dialer Trojan that connects to a premium rate phone number. When it is installed in the system, it displays an icon in the Taskbar, located next to the system clock. If the user right-clicks on this icon, the option "Uninstall..." will appear. If this option is selected it will appear that Pornspa.F is removed, however, a process belonging to the Trojan will remain and the change made to the Windows Registry will not be deleted. Once the computer is restarted, Pornspa.F will remain in the affected computer, although it will be hidden.
Pornspa.F also creates a shortcut to the file "DATEMAKERINTL.EXE" on the desktop, and creates an entry in the Windows Registry so that it is run every time Windows is started.
For further information about these and other viruses, visit Panda Software's Virus Encyclopedia.
Compiled by Esther Shein.
Loading Comments...