W32/RorpiaMem-A

Category: Viruses and Spyware Protection available since:16 Apr 2011 12:22:33 (GMT)
Type: Win32 worm Last Updated:18 Sep 2013 19:12:19 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/RorpiaMem-A is a malicious process running in memory, related to a malicious dll file. The dll file on disk is typically detected with names such as Mal/FakeAV-JO or Troj/TDDS-GG.

W32/RorpiaMem-A typically attempts to copy the malicious dll file to <Temp>\srv.tmp (eg <Temp>\srvE08.tmp), and may also copy it to <Temp>\setup.exe (eg Temp\setup50045.exe). It may also create the clean data file <Temp>\srv.ini (eg <Temp>\srvE08.ini)

W32/RorpiaMem-A may drop and run the file <malware filename>.manifest to increase its privileges, and get the process spoolsv.exe to load the malicious dll.

W32/RorpiaMem-A usually attempts to download files to the <Temp> folder and execute them.

W32/RorpiaMem-A typically adds an entry of "srv" (eg setupE08) to the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
netsvcs

W32/RorpiaMem-A also usually creates registry entries at the following locations to run the malicious dll automatically on startup:

HKLM\SYSTEM\CurrentControlSet\Services\srv
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srv

W32/RorpiaMem-A attempts to copy the malicious dll to remote drives and network shares with the filename "setup.fon" (eg setup50045.fon). To run this automatically, the file autorun.inf is also dropped - this file is detected as W32/Autorun-BM, W32/AutoInf-BO, W32/Autoinf-CC, and Mal/AutoInf-A. In addition, the following shortcut files are usually dropped, detected as Troj/Cplink-K and Troj/Cplink-O, which attempt to exploit the vulnerability CVE-2010-2568 to run the malware automatically:

setup.lnk (eg setup50045.lnk)
myporno.avi.lnk
pornmovs.lnk

Examples of W32/RorpiaMem-A include:

Example 1

File Information

Size
54K
SHA-1
634e6cfce86f75fcad11918e12772b8a5a544cdc
MD5
d3f087605eeceecdf035ec3c071e6a63
CRC-32
be77c46e
File type
Windows executable
First seen
2011-03-25

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\srv258.tmp
Processes Created
  • c:\windows\system32\spoolsv.exe

Example 2

File Information

Size
64K
SHA-1
811c40625e83bbbc34c553a3973a5daa21d8c725
MD5
fcfda6e176faf0fe1ae066e065870127
CRC-32
76b2e62b
File type
Windows executable
First seen
2011-03-30

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\srv5A0.tmp
Processes Created
  • c:\windows\system32\spoolsv.exe

download Try Sophos products for free
Download now