W32/Oror-K

Please follow the instructions for removing worms.

Please read the instructions for removing worms.

W32/Oror-K is a worm which spreads by copying itself to shared folders on the local network and by emailing itself to addresses found within the inbox of MAPI based email clients, such as Microsoft Outlook or Outlook Express.

The email subject, message text and attachment name are randomly chosen from a variety of possibilities. A typical example is:

Subject: Blondes Forever
Attached file: Blonde.exe
Message text:
"Hey, whatz up :)) Where are you? Don't you chat any more?
I haven't seen you so long. Read this :))
What do blondes wear behind their ears to attract men? Their ankles!!
- Why did god invent the female orgasm? So blondes know when to stop
screwing!!
- What is a blond with hair black colored? Artificial intelligence!
Blondes forever!! :) Time off, i must go now, but i'll be very
happy if you write to me soon :) Bye bye :))".

The worm attempts to exploit a MIME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer to allow the executable file to run automatically without the user double-clicking on the attachment. Microsoft has issued a patch which secures against this vulnerability which can be downloaded from http://www.microsoft.com/technet/security/bulletin/MS01-027.asp.
(This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this worm.)

When first run the worm displays a message box with the text
"Error starting program", "The <pathname of worm> file expects a newer version of Windows. Upgrade your Windows version.".

The worm copies itself to the Windows folder with a name that is a combination
of 'lib', the computer's name backwards and "16.exe", "32.exe" or "98.exe". For example if the computers name is "test", the worm copies itself as libtset16.exe, libtset32.exe or libtset98.exe.

The worm creates the following registry entry so that the copy of the worm in the Windows folder is run automatically each time Windows is restarted:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadSystemProfile
= <pathname of worm> powprof.dll,LoadCurrentUserProfile

The worm also sets the following registry entry to run itself automatically
whenever an EXE file is executed:

HKLM\Software\CLASSES\exefile\shell\open\command\(default)
= <pathname of worm> "%1" %*.

W32/Oror-K chooses a random sub-folder of the Program Files folder and copies
itself to this folder using the sub-folder name with "16.exe", "32.exe" or "2k.exe". For example, it might copy itself as \Program Files\Internet Explorer\Internet Explorer16.exe.

The worm adds the pathname to this executable under the following registry key so that this copy of the worm is run automatically on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

The worm also copies itself to the Windows System folder using the name of a
randomly selected file from the System folder, but with "16.exe", "32.exe" or "2k.exe" in place of the file's extension.

The worm runs this copy of itself automatically on startup by adding the line
run=<pathname of worm> to the [Windows] section of <Windows>\WIN.INI.

W32/Oror-K spreads over the local network by copying itself to selected shared folders using random filenames. During this process the worm may create additional entries under the registry entry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

The worm attempts to spread via file sharing on KaZaA networks by copying itself to any KaZaA folders it finds on the local network, using the following
filenames:

ACDSee
Actu002_
alice
amanda
Anal Explorer
baby_17
badboy
blue16
BoxDave_
Britney Suxx
BritneyUltimate
bryan16
candy_f
Chess
ClubExtreme
Counter Strike 1.5 (Editor)_
CrazyGirl
cRedit_CarDs_gEn|MeGa HACK
DivX 5.4 Bundle_
DMX tHeMe
Download Accelerator 5.5_
Dreamweaver_5.0_Patch_
dreamy
Elfbowl
EminemDesktop
Fishfood
Gipsy
Goggles
GTA 3 Bonus Cars(part1)_
happy
Hot Blondies
install_en_
Inter012_
jane17
jerry
Kama Sutra
KamaSutra
KaZaA Media Desktop v2.0.8_
LaFemmeNikita
linda17
Lolita
Madonna Desktop
neo
Nero Burning Rom 5.6.0.3_
NFS 5 Bonus Cars_
nicole
Pam Anderson Theme
Pamela 3D_
PcDudes
rap_girl
Serials 2K 7.2 (by SNTeam)_
Serials2002_8.0(17.08.02)_
SexSpy
Sexy Teens Desktop
snowball_fight_
sound_brake_
steve
Story017_
Strip Kournikova
Teen Sex Cam
trish1
tweety
VirtualRape
WinAmp_3.2_Cool_
WinZip 8.2_
WWF_The_ROCK
Zip Password Recovery

W32/Oror-K also drops the mIRC script Controls.ini to the mIRC folder. Controls.ini is detected by Sophos Anti-Virus as the backdoor Trojan mIRC/Oror-D.

The worm will attempt to terminate selected Windows based anti-virus programs.