|
 |
|
Remove win32.Roron.aa@mm
Also Known As:
Win32/Oror.AE (CA)
Email-Worm.Win32.Roron.4999.c (Kaspersky)
W32/Oror-L (Sophos)
Win32.Oror.L@mm (BitDefender)
W32/Oror.af@MM (McAfee)
W32.HLLW.Oror.D@mm (Symantec)
WORM_OROR.L (Trend Micro)
Summary
Worm:Win32/Roron.AA@mm is a worm that attempts to send personal information to a remote address. It may spread via e-mail, network shares, or peer-to-peer file sharing.
Symptoms
System Changes
The following system changes may indicate the presence of Worm:Win32/Roron.AA@mm:
The presence of the following files:
sysnuht16.exe
syslog.dll
%windir%\Faith.ini
\thunLib.sys
%windir%\nuhta.cfg
\Dxnuht16.dll
%windir%\Runtask32.vxd
The presence of the following registry subentry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
With data: "Sysnuht16.exe powrprof.dll,LoadCurrentPwrScheme"
Technical Information
Worm:Win32/Roron.AA@mm is a worm that attempts to send personal information to a remote address. It may spread via e-mail, network shares, or peer-to-peer file sharing.
Installation
When executed, Worm:Win32/Roron.AA@mm checks whether a copy of itself is running in the System, Windows, and Program Files folders. If no running copies are found, it copies itself to the Windows folder as "sysnuht16.exe".
It may also drop a DLL component in the System folder as "syslog.dll".
Worm:Win32/Roron.AA@mm modifies the system registry so that it executes every time Windows starts:
Adds value:
With data: "Sysnuht16.exe powrprof.dll,LoadCurrentPwrScheme"
Under key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Where is one of these strings:
Run
Load
Start
suffixed by one of these strings:
Profile
System
Agent
For example, "RunProfile" or "StartSystem".
It then displays one of the following four dialog boxes:
To ensure that its copy is run every time an executable file is run, it modifies the following registry entry:
Modifies value: "(Default)"
With data: "Sysnuht16.exe "%1" %*"
To subkey: HKCR\exefile\shell\open\command\
Program Files Subfolder Copy
Worm:Win32/Roron.AA@mm may also copy itself to a subfolder within the Program Files folder. The file name it uses for its copy consists of the first word of the subfolder name, optionally followed by "16", or "32". For example, if a subfolder exists named "Sample Program", the Roron.AA copy may have any of the following filenames:
%ProgramFiles%\Sample Program\Sample.exe
%ProgramFiles%\Sample Program\Sample16.exe
%ProgramFiles%\Sample Program\Sample32.exe
It then modifies the system registry so that its copy in the Program Files subfolder also automatically executes every time Windows starts:
Adds value:
With data:
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Where is the name of the EXE copy appended with one of the following:
Agent
Startup
Loader
Note that the last 2 of these have a leading space, but the first does not.
For example, the following entry may be created:
Adds value: "Sample16 Startup"
With data: "%ProgramFiles%\Sample Program\Sample16.exe"
Under key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
System Folder Copy
Worm:Win32/Roron.AA@mm may also copy itself to the System folder. It selects a file within this folder and copies itself using the file name, optionally followed by "16" or "32". For example, if a file exists named "mydll.dll", the Roron.AA copy may have any of the following filenames:
\mydll.exe
\mydll16.exe
\mydll32.exe
Note - refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It then modifies the system registry so that its copy in the System folder also automatically executes every time Windows starts:
Adds value: run
With data:
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
For example, the following entry may be created:
Adds value: "run"
With data: "\mydll.exe"
Under key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Once Roron.AA has created its copies in the Program Files subfolder and the System folder, it launches "sysnuht16.exe".
It periodically monitors if its copies and corresponding autostart entries have been removed; if so they may be replaced.
Roron.AA creates the mutex "DangalakMutex" to ensure that no more than one copy may run at a time.
Spreads Via...
Network Shares
Worm:Win32/Roron.AA@mm periodically attempts to create a single copy of itself in subfolders of network shares if their folder names begin with any of the following strings:
WINDOWS
WIN
WIN95
WIN98
WINME
Additional Information
Worm:Win32/Roron.AA@mm stores configuration and status information in the following files:
%windir%\Faith.ini
\thunLib.sys
%windir%\nuhta.cfg
\Dxnuht16.dll
%windir%\Runtask32.vxd
Recovery Steps
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft online scanner (http://safety.live.com).
|
| | |
 |
|
|
Anti Virus - Spyware Removal - Trojan Removal - Registry Repair