Network Worm "Roron" - Red Alert!
06 Nov 2002
Kaspersky Lab, an international data security software developer, reports the appearance of a new network worm named "Roron", constructed in Bulgaria. Presently six variations of the worm have already been detected and have been credited with infecting computers in many regions including the U.S.A., Russia and a slew of European countries.
Destructive functions and features include a built-in back-door intended for unsanctioned remote control of victim computers and the ability to spread via many communication channels - all of which places this worm in an especially high danger category.
"Roron" spreads using several data transfer channels: via email as an attached file, via local area networks and the KaZaA file-sharing network. Systems become infected only if a user manually launches (opens) the file containing the worm that was received via one of the aforementioned sources. When penetrating a computer, "Roron" creates a copy of itself in the Windows system directory and Program Files and then registers one of these files in the system registry's auto-run key. In this way the worm ensures its activation the each time the system is booted. Sometimes, when infecting, the worm displays a false warning:
WinZip Self-Extractor License Confirmation
Your version of WinZip Self-Extractor is not licensed, or the license
After the infection routine is complete, "Roron" activates its spreading routines:
information is missing or corrupted. Please contact the program vendor
or the web site (www.WinZip.com) for additional information.
"Roron" carries a very impressive armory of extremely dangerous payload and backdoor functions. In case the infected computer has a mIRC client installed (software used to access Internet Relay Chat (IRC) channels) the worm infects it with a backdoor component. This allows a mal-intended person to gain unauthorized remote control over the infected computer: unnoticed a malefactor can download, upload, execute files, send out e-mail messages on behalf of the user, etc. The backdoor component also carries a feature for performing DoS-attacks (Denial of Service) from the infected computer launched against other computers specified by the hacker. Therefore, if "Roron" causes a global outbreak infecting the high number of systems such as Tanatos (BugBear) or Lentin (Yaha), it may enable hackers to perform massive distributed DoS-attacks even more powerful than the huge attack occurring two weeks ago when 13 Internet "backbone" servers were attacked, ultimately bringing nine of them temporarily down.
"Roron" also destroys data stored on hard drives. This payload is activated when at least one of the following conditions is fulfilled:
- To spread via e-mail it clandestinely creates a message that may have different subjects, texts and attached file names. Then it sends this message to the recipients whose adresses it found in the InBox folder of the infected computer.
- To spread via local area networks the worm searches available network resources, allocates those having file-sharing resources and copies itself under a random name. This way "Roron" may spawn its copies to the public file servers that may lead other network users to download these files and infect their own machines.
- To spread via the KaZaA network the worm searches for KaZaA file-sharing folders where it inserts its copy, thus making it available for download by other KaZaA users.
"Roron" also searches for some anti-virus software programs in the operating memory and deactivates them. In addition the worm tries to delete this anti-virus software from the hard drive.
The defense against "Roron" has already been added to the Kaspersky Anti-Virus databases.
For more detailed information about this malicious program and guidelines on how to disinfect your computer, please visit the Kaspersky Virus Encyclopedia.
- the current system date is the 9th or 19th (regardless of the current month)
- one of the worm's core components is deleted (WINFILE.DLL)
- the worm's Windows system registry keys are deleted
- randomly, depending on the worm's internal counter