W32/Romario-A is a mass-mailing worm for the Windows platform.
W32/Romario-A spreads to other network computers.
When first run W32/Romario-A copies itself to the root folder and to:
<User>\Documents\Bola Pantul.exe
<User>\Documents\FreeCard.exe
<User>\Documents\MyHearts.exe
<User>\Application Data\Alisa.exe
<User>\Application Data\Emma.exe
<User>\My Documents\Mario Bross.exe
<User>\My Documents\Minesweeper.exe
<User>\My Documents\Solitaire Card.exe
<Root>\Mario.exe
<Root>\game\Bola.exe
<Root>\game\Crazy Mouse.exe
<Root>\game\Dark Screen.exe
<Root>\game\Goncang.exe
<Root>\game\Kartu.exe
<Root>\game\Kelap Kelip.exe
<Root>\game\Layar Jatuh.exe
<Root>\game\Legend.exe
<Root>\game\Minesweeper.exe
<Root>\game\My Heart.exe
<Root>\game\Pink Panther.exe
<Root>\game\Smart.exe
<Root>\game\Start Hide.exe
<Root>\game\Text Animation.exe
<Root>\game\XP Button.exe
<System>\PANGKALP1NANG.EXE
<System>\SMUNSA_PKP_GAME.EXE
<System>\msvbvm60.dll.exe
<Windows>\winlogon.exe
and creates the following files:
<User>\Application Data\Aliciana.htt - detected as W32/Romario-A
<User>\Application Data\Emira.ini - detected as W32/Romario-A
<Windows>\Tasks\At1.job - can be safely removed
The following registry entries are created to run W32/Romario-A on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Mr_CoolFace_Game
<User>\Application Data\Emma.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SmansaApp
<Windows>\winlogon.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
urudjeffni
<Windows>\winlogon.exe
The following registry entries are changed to run W32/Romario-A on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
<original worm filename> "<Root>\explorer.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe, <Root>\<original worm filename>
The following registry entries are set or modified, so that W32/Romario-A is run when files with extensions of BAT, COM, PIF and SCR are opened/launched:
HKCR\VBSFile\Shell\Open\Command
(default)
<Root>\<original worm filename>" "%1" %*
HKCR\batfile\shell\open\command
(default)
<Root>\<original worm filename>" "%1" %*
HKCR\comfile\shell\open\command
(default)
<Root>\<original worm filename>" "%1" %*
HKCR\movfile\Shell\Open\Command
(default)
<Root>\<original worm filename>" "%1" %*
HKCR\piffile\shell\open\command
(default)
<Root>\<original worm filename>" "%1" %*
HKCR\scrfile\shell\open\command
(default)
<Root>\<original worm filename>" "%1" %*
W32/Romario-A changes settings for Microsoft Internet Explorer by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
The following registry entries are set, disabling system software:
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
1
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
UncheckedValue
0
Registry entries are created under:
HKCU\Identities\(72F74F8A-A79D-406D-9B40-AB4C1057B8FD)\Software\Microsoft\Outlook Express\5.0\Mail
W32/Romario-A also creates a scheduled job to run itself everyday at a specified time.
W32/Romario-A also copies itself to removable drives by creating a folder "GAME" on the removable drive and copying itself to that folder as the following names:
Legend.exe
Kartu.exe
Bola.exe
My Heart.exe
Minesweeper.exe
Dark Screen.exe
Layar Jatuh.exe
Kelap Kelip.exe
Goncang.exe
XP Button.exe
Start Hide.exe
Pink Panther.exe
Text Animation.exe
Crazy Mouse.exe
Smart.exe
Administrator Game.exe