W32/Oror-A

Aliases	W32.HLLW.Oror@mm
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Please read the instructions for removing worms.

Make a note of the names of the files you delete. You should delete any copies of Troj/Faith-A at the same time as you delete W32/Oror-A.

Windows NT/2000/XP

In Windows NT/2000/XP you will also need to edit the following registry key. The removal of this key is optional in Windows 95/98/Me.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE key:

HKLM\Software\Microsoft\Windows\
CurrentVersion\Run\LoadCurrentProfile

and delete it if it exists.

There will also be another key in

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

which points to one of the files that you removed. You should also delete this reference.

Close the registry editor.

Removal of other files

The worm creates the following text files which you may wish to delete.

C:\Windows\def12x.dll
C:\Windows\rn3a.vxd
C:\Windows\Winfile.dll
C:\shares.txt

More Information

Summary
Action
More Information

W32/Oror-A arrives in an email with one of the following subject line and message text combinations:

Subject line: Zdrasti..
Message text: Hey, kak , ujas mi e toplo daji smqtam ei sq da si farlq edin dush che ne sa disha :) Skoro shti pratq onva det obeshtah, za sq mojesh da hvarlish edno oko na

Subject line: Ohoo!!
Message text: Yoo, kak e havata, v momenta se 4ustvam mnoo qko i reshih da pisha na priqtelite :) nabarah edin mnoo zdrav site, %s - Cool a? Aide chakam otgovor :)

Subject line: Pisamce
Message text: Neska mi se slu4iha kup neshta :) Oshte ot sutrinta adski mi varvi, shte vzema da pusna edin fish ~~P V takova dobro nastroenie sam 4e reshih da vi pisha. Pri teb kak e, Neshto novo ima li? Osven vsi4ko ti pratih i iznenadka, sled kato q instalirash si vij shti sa poqvi mnoo qka madama v Tray-a :) I naposledak poshtata mi stoi tajno prazna tai che ... :)) Doskoro

Subject line: Liubofta e kato Rai, no moje da boli kato Ad
Message text: Zdr, izpratih na vsichki edna programka, mnoo qka, btw to imeto si pokazva. Subject-a e ot tam i ima i drugi mnogo qki misli. Moje da pokaje nai-podhodqshtiq partnior v liubofta :)) Ujasno e kak liubofta moje da ubie vsichko v teb.. Za shtastie ne vinagi e taka :) Bye !!

Subject line: TinKi WinKy
Message text: Zdrasti, trqq da proveda edin razgovor s dosta hora, ama shi vidim koga sha stane tova, naistina imam da kazvam mnogo neshta .. Ako imash i ti neshto da mi kazvash, ne se kolebai, a napishi edno pisamce. Vqrvai v me4tite si i gledai napred :))' P.S. Pogledni attachmenta i vij dali shti dopadne :)) Kefi li te? Az mnoo mu sa radvah ;)) Bye

Subject line: HeY :)
Message text: Tiriritam tiriram :)) zDraVeI, neshto novo?? :) Kak varvi lqtoto? Plaj, basein, kuponi :) Beshe mi skuchno i si vikam shto da ne napisha nqkoi drugo pismo :> Kakvoto i da stava da jivee lqtoto i nie pokrai nego ~~~PpPpPp. Vij iznendkata ~pP Aide i chakam..

Subject line: ZzZz :)
Message text: Zdrasti, kak q karash :) az sam dobre, makar che naposledak imam malko problemi. Tvarde mnogo mi se strupa navednaj, mai i rakata mi e s4upena.. Kvo da se pravi, takav e jivota.. Vchera namerih nqkav generator na kreditni karti i mai bachka, samo edin go probvah ama stana, vij dali pri teb sha raboti i umnata :) I ne zabravqi che "Liuboftaa e po cennaa ot vsi4ko" :)) Chao ti

Subject line: Vajno!!
Message text: Ima nov opasen virus v neta! Razprostranqva se predimno po IRC i ICQ. Vnimavai da ne se zarazish, zashtoto iztriva Mp3-ki, Filmi i Dokumenti. Izpratih ti patch, koqto shte te zashtiti ot zarazqvane. Iskah da napisha po-dulgo pismo, no nqmah vreme, sorka :( Naposledak imam adski mnogo rabota nalqvo nadqsno :)) Inache kak varvi? Aide doskoro i watch out :)))

Subject line: Blondinkii:)
Message text: Namerih edna mnoo qka programka i neznam zashto, no mi napomni za teb :)' Kakvo pravi blondinka kato rodi bliznaci? - Chudi se koi e vtoriq tatko :)' Kakva e razlikata mejdu 10 ovce i 3 blondinki? Otgovor: 7 Kak mojesh da razsmeesh blondinka v petak? - Kato i razkajesh vic vav vtornik :) Zdrasti! kak si :) Kefqt li ta vicovete? Shegichka de :) Pratih ti q. Razkazva ti qki vicove za blondinki na 5 minuti :) Posmqh se za baq vreme napred :))) Bye, doskoro, i po chesto v chata, chao :)

Subject line: Hi BaBy :)
Message text: Hi baby, kak e :) ko si praikash? az si slusham muzichka - ATC i Mortal Kombat Soundtrack - Varhovni sa, napravo izbuhnah :))) Drapnah si gi ot neta s taq programka - ima 200 kubriliona klasacii :) Naposledak muzikata e edno ot malkoto mi udovolstviq
P.S. Obezatelno si drapni ATC - Why oh why.mp3 :))
Chao, doskoro!!

Subject line: HeY..
Message text: HeY.. Buddz what'z up :) How are you? I'm fine, 10x!! My friend Nina is here and we are.. You know :) Lalala !! I've just wanted to tell you. Btw check this site - %s, it's kewl :)) Cya

Subject line: aBcDeFgHiJkLmNoPqRsT..
Message text: Hi, Don't forget about MAL"F" :) And don't tell anybody :Ppp have you seen this site? It's very interesting!! :) %s .. Leave this away, how are you? Send me sth cool, plzz :) bye! :)

Subject line: Don't cry
Message text: It won't be easy, you think it's strange, when I try to explain how i feel and I still want your love after all I have done. You won't believe me.. I had to let it happen, i had to change.. Hey, just kiddin' :) Madonna - "Don't cry" I've just wanted to .. Infact I don't know nothing i don't want to know anything :))) Do you like the funny program :) I'm waiting for the reply :>> Bye

Subject line: Very Important
Message text: There is a very dangerous virus circulating in the net. It's called RoRo and it's using IRC to infect computers. This virus deletes movies, music and corrupt your windows installation. To prevent from infecting, install McAfee Anti-Script 2002. It's a 30-days demo.. So, how are you? Good, Bad? I'm oK. I wanted to write you a longer letter, but i didn't have enough time.. sorry. Bye

Subject line: Miracle
Message text: All I need is a miracle, all i need is love.. YeS. That's true i love you my friends :) If you are wondering why I am so happy - i'll tell you - I am enga.. oOps, later..Bye and uhh unzip the attachment. It's the best joke, i've ever seen. Bye, see ya :)

Subject line: LOVE is like HEAVEN but it can hurt like HELL.
Message text: I've just found this program, and, I don't know why... but it reminded me of you. I read this there. There are cool ideas, especially about lOvE. i like it, but let's talk about you? Are you oK? Are you in love :))) I'm waiting for the replyyy :)) bye ~pPpP

Subject line: Blondies Forever :)
Message text: Hiya :) I've just wannted to send you these jokes
- What do blondes wear behind their ears to attract men? Their ankles!!
- Why did god invent the female orgasm? So blondes know when to stop
screwing!!
- What's the difference between a blonde and aeroplane? Not everyone's
been in a aeroplane!
- What is a blond with hair black colored? Artificial intelligence!
Blondies forever!! :) Wow, it's raining!! c00l :) Time off, i must go now, but i'll be very happy if you write me soon :) Bye bye :))

Subject line: Hi!!
Message text: Hi baby :)) Whatz Uppp :)) I'm feelin extra power cause i got high in the sky :) sMiLe :oP~pPPPpp Where are you? What are you doing? I send you a c00l flAsh :) See you soon :)) Bye Bye

Subject line: WoWoWoWOWowo..
Message text: Hi again.. You can't guess what i've found.. Finally i've found a working Credit Card generator!! I'm the richest man in the net :)) Don't tell or send it to anybody! How are you? What're you doing?

Subject line: yoOo
Message text: YoOo :)) What a nice day, what a nice time :) What a nice world :)) Do you have any ATC's mp3z? eXtreemly cool :) I've found them with this program, it's like Napster, but it's legal :)) P.S. Download ATC - Why oh why.mp3 !!! Bye ~~~~ppPpP :)

The attached file has one of the following filenames:

Love Zodiak.exe
Sorry.exe
[TNT]!CC geN.exe
Osama Your Mamma.exe
Setup.exe
mTV Charts.exe
Blondies.exe
TNT!CC gEN.exe
Magic.exe
Love.exe
Zodiak.exe
mTV.exe
Faith.exe
Kama Sutra.exe
Fun.exe
Smile.exe
Pamela.exe
Candy.exe

When first executed the worm displays a fake error message that reads

"Your version of WinZip Self-Extractor is not licensed, or the license information is missing or corrupted. Please contact the program vendor or the web site (www.WinZip.com) for additional information."

The worm will attempt to copy itself to folders on local and shared drives using any of the following filenames:

Kama Sutra.exe
GiRlZ FoReVeR (Wow).exe
Nikita v1.1 (Zip).exe
Pamela Anderson (Porno Installation).exe
Britney Spears Naked.exe
Teen Sex Cam.exe
Kurnikova Screensaver (6+).exe
CrEdIt CaRdZ gEn.exe
SeX.eXe
Faith.exe.

The worm will always drop a copy of itself with the filename C:\Windows\Rundll16.exe and add the following registry entry so that Rundll16.exe is run when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadCurrentProfile

The worm randomly choses a single subfolder of the Program Files folder and places a copy of the worm in that subfolder. The filename of the new copy will be the name of the sub folder plus "16", "32", or "2K" e.g. Accessories2K.exe. An entry is added to registry key

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

which points to the copy of the worm.

A file is randomly selected from the Windows system folder and a copy of the worm is created in the system folder with a filename constructed from the name of the randomly selected file plus "16, "32" or "2K". An entry is then added to the file win.ini so that this copy of the worm is run when Windows starts up.

If the title bar of a window contains any of the following strings then that window will be closed:

black
panda
shield
scan
mcafee
nai_vs_stat
virus
iomon
webcheck
mstask
navap
msie
agent
avp
alarm
zone
labs

The worm will delete files from folders whose names contain the words:

"zone" and "labs"
kaspers
mcafee
panda
avp
"pc" and "cillin"
"black" and "ice"
"norton" and "virus"

A large mIRC script will be created in the mIRC installation folder with the filename alias.ini, server.ini, notes.ini or popup.ini. This script is a mIRC backdoor Trojan and will be detected as Troj/Faith-A by Sophos Anti-Virus.

Finally the worm will send itself in an email to addresses retrieved from emails in the infected user's inbox.

The worm also creates the following non-viral text files:
C:\Windows\def12x.dll
C:\Windows\rn3a.vxd
C:\Windows\Winfile.dll
C:\shares.txt

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Oror-A

Summary

Action

More Information