Roron, also known as Oror, is an email worm from 2002. The Roron family produced a number of similar variants, all of which had a malicious payload as well as the ability to spread over multiple vectors.
Roron arrives in an email with about 20 different possible subject lines, message bodies and attachment names. Many of these might be in Bulgarian transliterated into Roman letters. It may also arrive through a KaZaa share folder, IRC, or an infected computer on the network.
When Roron is executed, it displays a fake message informing the user that their version of WinZip Self-Extractor is not licensed. It copies itself to the windows folder as Rundll16.exe and adds the value "LoadCurrentProfile Rundll16.exe powprof.dll,LoadCurrentUserProfile" to the local machine run registry key to ensure the worm starts when the computer does. It chooses a random file in the system folder and copies the file name to create a copy of itself in the system folder with that name and "2k", "16" or "32" added to it with a .exe extension. It adds a line to the Win.ini file as well as the same registry key to ensure this file runs at every startup. It chooses a random file in a subfolder of the Program files folder and copies the file name to create a copy of itself in that folder with that name and "2k", "16" or "32" added to it with a .exe extension, then adds this path and name to the same registry key. It may create the file ~msdos.--- in the root directory of the C: drive and the files Winfile.dll, Def12x.dll and Rn3a.vxd in the Windows folder. Although some of their extensions may suggest otherwise, these are actually text files.
The worm then tries to shut down and destroy the system's security. It closes any windows with the text black, panda, shield, scan, mcafee, labs, zone, alarm, agent, avp, msie, navap, mstask, webcheck, iomon, nai_vs_stat or virus in their titles. It also looks for folders with certain strings in their names and deletes all files in them. These strings are: "kaspers", "mcafee", "panda", "avp", "pc", "cillin", "labs" with "zone", "black" with "ice" and "norton" with "virus".
Roron mails itself to all addresses it finds in the email in the inbox. It uses the default mail client to mail itself. It overwrites mIRC script files, so it will be sent over IRC. The worm copies itself to any network shares and mapped drives it finds as one of the following file names:
- Kama Sutra.exe
- GiRlZ FoReVeR (Wow).exe
- Nikita v1.1 (Zip).exe
- Pamela Anderson (Porno Installation).exe
- Britney Spears Naked.exe
- Teen Sex Cam.exe
- Kurnikova Screensaver (6+).exe
- CrEdIt CaRdZ gEn.exe
- SeX.eXe or Faith.exe
Roron has a malicious payload that is triggered by several different conditions. If the date is the 9th or 19th, "winfile.dll" is removed from the Windows folder, the worm's registry keys are removed or simply at random, the worm will delete all files from all available drives.
File:Rorocon.png Selected icons of Roron and its variants. Roron produced enough variants to go through the alphabet a little over one time. Some of these add functionality, like a more dangerous payload or the ability to spread over a different vector.
Origin and Name
Roron is believed to come from Bulgaria, as its emails come in English as well as Bulgarian written with Roman letters. It also goes by the name Oror, and gets both of those names from one of the possible message bodies, in which it warns of a worm very similar to itself. It advises the user to download an attachment posing as an antivirus product.
The worm infected computers in the US, Russia and some European countries. Bulgaria was hit the hardest by Roron, and this is its likely country of origin.
Yana Liu. Symantec, W32.HLLW.Oror@mm. 2007.02.13
Kasperky Lab, F-Secure Corp. F-Secure, F-Secure Virus Descriptions : Roron. 2002.11.06
Kaspersky Lab, Network Worm "Roron" - Red Alert!