W32/Oror-L is a worm which spreads by network shares and email.
The emails will have the following characteristics:
Subject line - randomly selected from one of the following:
HeY
ZzZz
Bla Bla
HoWie
Happy
Hi Again
Wow
Just A Letter
Hello
Hey Ya
Boom
Hi There
The email message text and attachment names are also randomly chosen from a variety of possibilities.
The worm attempts to exploit a known vulnerability in Internet Explorer versions 5.01 and 5.5, so that the attachment is launched automatically when the email is selected for viewing. To prevent reinfection, users of Microsoft Outlook and Outlook Express should install the following patch available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS01-027.asp. This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this worm.
When first run, the worm displays a message box with the text "Windows", "Cannot open file: it does not appear to be a valid program If you downloaded this file, try downloading file again."
The worm copies itself to the Windows folder with a name that is a combination of 'Cmd', the computer's name backwards and "16.exe". For example if the computers name is "test", the worm copies itself as Cmdtset16.exe.
The worm creates the following registry entry so that it is run automatically each time Windows is restarted:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadProfile
= Cmdtrid16.exe powrprof.dll,LoadCurrentPwrScheme
The worm prepends its filename to the string stored in the registry entry
HKCR\exefile\shell\open\command\(default)
so that the worm is run before any executable file is run.
Typically an unaltered registry entry will be set to
HKCR\exefile\shell\open\command\(default) = "%1" %*
thus the altered registry entry will be
HKCR\exefile\shell\open\command\(default) = <path to worm> "%1" %*.
W32/Oror-L chooses a random sub-folder of the Program Files folder and copies itself to this folder using the sub-folder name concatenated with "16.exe", "32.exe" or ".exe". If the chosen folder name contains spaces only the beginning of the folder name is used, for example the worm might copy itself as
\Program Files\Internet Explorer\Internet16.exe.
The worm adds the pathname to this executable under the registry key
HKLM\Software\Microsoft\Windows\CurrentVersion\Run,
so that this copy of the worm is run automatically on startup.
The worm also copies itself to the Windows System folder using the name of a randomly selected file from the System folder, but with "16.exe", "32.exe" or ".exe" in place of the file's extension.
The worm runs this copy of itself automatically on startup by adding the line
run=<path to worm>
to the [Windows] section of WIN.INI file.
W32/Oror-L spreads over the local network by copying itself to shared folders using random filenames. During this process the worm may create additional entries under the registry key
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
The worm attempts to spread via file sharing on KaZaA networks by copying itself to any KaZaA shared folders that it finds, using the following filenames:
KaZaA Media Desktop v2.2_.exe
Serials 2K 7.2 (by SNTeam)_.exe
Serials2002_8.0(17.08.02)_.exe
Dreamweaver_MX_Update_.exe
ACDSee.exe
WinAmp_3.2_Cool_.exe
Download Accelerator 5.5_.exe
Nero Burning Rom 5.7.0.1_.exe
cRedit_CarDs_gEn.exe
MeGa HACK.exe
Zip Password Recovery.exe
GTA 3 Bonus Cars(part1)_.exe
EminemDesktop.exe
DMX tHeMe.exe
NFS 6 Bonus Cars_.exe
Counter Strike 1.5 (Hackz)_.exe
Madonna Desktop.exe
WinZip 8.2_.exe
DivX 5.5 Bundle_.exe
PcDudes.exe
BritneyUltimate.exe
Pamela 3D_.exe
Britney Suxx.exe
KamaSutra.exe
LaFemmeNikita.exe
Teen Sex Cam.exe
Lolita.exe
Pam Anderson Theme.exe
Sexy Teens Desktop.exe
SexSpy.exe
Anal Explorer.exe
VirtualRape.exe
Hot Blondies.exe
Strip Kournikova.exe
W32/Oror-L also creates new versions of the mIRC files MIRC.INI and REMOTE.INI. These files allow a remote access to the computer via IRC channels.
The worm will attempt to terminate several anti-virus programs.