Sophos

W32/Oror-Fam

Aliases
  • Roron
  • Oror-B
  • Oror-C
  • Oror-D
  • Oror-E
  • Oror-F
  • Oror-G
  • Oror-H
  • Oror-I
  • Oror-J
  • Oror-K
  • Oror-L
  • Oror-M
  • Oror-N
  • Oror-O
Category
Type
What to do
Prevalence low high

Summary

 
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

Please follow the instructions for removing worms.

Please follow the instructions for removing worms.

Make a note of the files detected as W32/Oror-Fam.

Editing the registry

You will need to edit the following registry entries.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

and delete any reference to any file that you deleted.

Locate the HKEY_CLASSES_ROOT entry:

HKCR\exefile\shell\open\command\(default) = <path to worm> "%1" %*

delete only the path to the worm. Do not delete anything else.

Close the registry editor.

Editing Win.ini

At the taskbar, right-click Start and select Explore. Search for Win.ini in the Windows folder and open it in Notepad. In the [windows] section, search for the line

run=<path to worm>

Delete this line.

Reboot your computer.

After disinfection

You should also do the following:


More Information

W32/Oror-Fam is a family of worms, all of which are very similar to W32/Oror-B. Like W32/Oror-B, these worms can spread in an number of ways, including sending themselves out by email, copying themselves to shared drives in networks, and placing copies of themselves in folders likely to be shared via the KaZaA peer-to-peer system.

The Oror family of worms also have many or all of the following characteristics:

  • They pop up fake error dialogs to disguise their operation.

  • They create copies of themselves in your Windows folder using innocent-looking names, typically incorporating the first few letters of the computer name backwards.

  • They add a value to the registry key:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    so that they will launch automatically every time you log on.

  • They edit WIN.INI so they will launch automatically every time you start your computer.

  • They exploit bugs in older, unpatched version of Outlook, Outlook Express and Internet Explorer so that they may launch automatically when you view infected emails.

  • They create mIRC scripts to distribute themselves if you have mIRC installed.

You can find additional details about the W32/Oror family of worms by looking at the analyses of W32/Oror-B, W32/Oror-K and W32/Oror-L.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer