I-Worm.Ronoper
Details
I-Worm.Ronoper.a
Ronoper is a worm virus spreading via the Internet as an attachment to infected emails. The worm has a primitive backdoor routine and is able to download and install other trojan horse programs.
The worm itself is a Windows PE EXE file about 16KB in length when compressed by UPX, the decompressed size is approx. 50KB; it is written in Borland Delphi.
Infected messages have the following attributes:
Subject: Re: Body: I Hope you reply me. Thank you very much for reading my msg Bye. Attach: WinCfg32.exe
The worm is activated from infected emails only when a user clicks on the attached file. Once run the worm installs itself to the system and runs its spreading routine and backdoor.
Installing
During installation the worm copies itself to Windows directory under the name “WinCfg32.exe” and registers this file in the system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WinCfg32 = %WinDir%\WinCfg32.exe
Spreading Backdoor
The backdoor routine connects to a machine (located somewhere in Turkey) and listens for its “master’s” instructions. Such instructions can include:
- reports system information
- reboots machine
- joins “ronop” IRC channel
Other
The ‘Ronoper’ worm downloads an EXE file from the http://www.kamerali.com site, stores it to TEMP directory under the name “security.exe” and executes it.
By doing this the worm is able to install trojan programs onto infected machines.
Related Posts