Threat Center Threats Explained Threat Encyclopedia Threat Blog Security Tips Case Studies White Papers Newsletter Signup
 

Win32/Roron.53


Win32/Roron.53 is a worm related to Win32/Roron.41. It is spreading as a file in the attachment of electronic mail messages. It spreads in local area networks and via IRC mIRC client. The worm is compressed by UPX.

Win32/Roron.53 arrives with the message having its subject randomly generated. Randomly generated is also the text of the body of the message as well as the name of the file in the attachment containing worm. There are only few cases when the worm uses predefined combinations of the subject, text in the body of the message, and attachment filename.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The inscription %system% represents in following text the directory %windir%/System (Windows 9x) or %windir%/System32 (Windows NT, XP).

After the Win32/Roron.53 is run it creates its copies at different locations of the hard disk. One of the copy is located in randomly chosen directory of Program Files. New created file has always the same name as the directory where located do (e.g. C:Program Files\Accessories\Accessories.exe).

It creates also files in %windir%. Their names are 7per16.dll, faith.ini, run7per32.exe and dxdrv.dll. It creates the files lib7per98.sys, rep7sys.def and mslocusr16.exe in the directory %system%.

In order to assure its activation after restarting the system the virus modifies the system registry. It creates the item RunAgent in HKLM\Software\Microsoft\Windows\Run. The value of this item is pointing to the created file Run7per32.exe. Moreover, it creates here the item with randomly generated name having its value pointing to the file created in randomly chosen directory of Program Files (in this case e.g. item Accessories with the value of C:\program files\accessories\accessories.exe. It modifies also HKLM\Software\CLASSES\exefile\shell\open\command\ setting it to the value of Run7per32.exe "%1" %*. It is activated also modifying the file win.ini.

!!! ATTENTION !!!! There is no possibility of removing the worm from system registry while it is active in the memory neither changing the registry key nor deleting the particular files. This procedure causes deleting the files from hard disk. Therefore you should upgrade your NOD 32 to the newest version available.

NOD32 is able to detect the Win32/Roron.53 from the version 1.377, and disinfect it from the version 1.402.



PROTECT YOUR COMPUTER!
ESETs NOD32 antivirus software provides comprehensive, easy-to-use, and affordable protection from todays and tomorrows threats. We put the malware expert inside the software, so you don’t have to become one.

DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE

 

 
Top of Page Back One Page Print this Page