W32/Oror-L

Please follow the instructions for removing worms.

Please read the instructions for removing worms.

Make a note of the files detected as W32/Oror-L.

Editing the registry

You will need to edit the following registry entries.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadProfile = Cmdtrid16.exe powrprof.dll,LoadCurrentPwrScheme

and delete it if it exists.

Check the other entries in

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

and delete any references to any of the other files you deleted.

Locate the HKEY_CLASSES_ROOT entry:

HKCR\exefile\shell\open\command\(default) = <path to worm> "%1" %*

delete only the path to the worm. Do not delete anything else.

Close the registry editor.

Editing Win.ini

At the taskbar, right-click Start and select Explore. Search for Win.ini in the Windows folder and open it in Notepad. In the [windows] section, search for the line

run=<path to worm>

Delete this line.

Reboot your computer.

After disinfection

You should also do the following:

• Replace the mIRC files MIRC.INI and REMOTE.INI from backups or from a fresh copy


• Users of Microsoft Outlook and Outlook Express should install this patch: http://www.microsoft.com/technet/security/bulletin/MS01-027.asp


• Check that your anti-virus software is working and reinstall it if necessary


• Check other computers on your network for copies of the worm.

W32/Oror-L is a worm which spreads by network shares and email.

The emails will have the following characteristics:

Subject line - randomly selected from one of the following:

HeY
ZzZz
Bla Bla
HoWie
Happy
Hi Again
Wow
Just A Letter
Hello
Hey Ya
Boom
Hi There

The email message text and attachment names are also randomly chosen from a variety of possibilities.

The worm attempts to exploit a known vulnerability in Internet Explorer versions 5.01 and 5.5, so that the attachment is launched automatically when the email is selected for viewing. To prevent reinfection, users of Microsoft Outlook and Outlook Express should install the following patch available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS01-027.asp. This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this worm.

When first run, the worm displays a message box with the text "Windows", "Cannot open file: it does not appear to be a valid program If you downloaded this file, try downloading file again."

The worm copies itself to the Windows folder with a name that is a combination of 'Cmd', the computer's name backwards and "16.exe". For example if the computers name is "test", the worm copies itself as Cmdtset16.exe.

The worm creates the following registry entry so that it is run automatically each time Windows is restarted:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadProfile
= Cmdtrid16.exe powrprof.dll,LoadCurrentPwrScheme

The worm prepends its filename to the string stored in the registry entry

HKCR\exefile\shell\open\command\(default)

so that the worm is run before any executable file is run.

Typically an unaltered registry entry will be set to

HKCR\exefile\shell\open\command\(default) = "%1" %*

thus the altered registry entry will be

HKCR\exefile\shell\open\command\(default) = <path to worm> "%1" %*.

W32/Oror-L chooses a random sub-folder of the Program Files folder and copies itself to this folder using the sub-folder name concatenated with "16.exe", "32.exe" or ".exe". If the chosen folder name contains spaces only the beginning of the folder name is used, for example the worm might copy itself as

\Program Files\Internet Explorer\Internet16.exe.

The worm adds the pathname to this executable under the registry key

HKLM\Software\Microsoft\Windows\CurrentVersion\Run,

so that this copy of the worm is run automatically on startup.

The worm also copies itself to the Windows System folder using the name of a randomly selected file from the System folder, but with "16.exe", "32.exe" or ".exe" in place of the file's extension.

The worm runs this copy of itself automatically on startup by adding the line

run=<path to worm>

to the [Windows] section of WIN.INI file.

W32/Oror-L spreads over the local network by copying itself to shared folders using random filenames. During this process the worm may create additional entries under the registry key

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

The worm attempts to spread via file sharing on KaZaA networks by copying itself to any KaZaA shared folders that it finds, using the following filenames:

KaZaA Media Desktop v2.2_.exe
Serials 2K 7.2 (by SNTeam)_.exe
Serials2002_8.0(17.08.02)_.exe
Dreamweaver_MX_Update_.exe
ACDSee.exe
WinAmp_3.2_Cool_.exe
Download Accelerator 5.5_.exe
Nero Burning Rom 5.7.0.1_.exe
cRedit_CarDs_gEn.exe
MeGa HACK.exe
Zip Password Recovery.exe
GTA 3 Bonus Cars(part1)_.exe
EminemDesktop.exe
DMX tHeMe.exe
NFS 6 Bonus Cars_.exe
Counter Strike 1.5 (Hackz)_.exe
Madonna Desktop.exe
WinZip 8.2_.exe
DivX 5.5 Bundle_.exe
PcDudes.exe
BritneyUltimate.exe
Pamela 3D_.exe
Britney Suxx.exe
KamaSutra.exe
LaFemmeNikita.exe
Teen Sex Cam.exe
Lolita.exe
Pam Anderson Theme.exe
Sexy Teens Desktop.exe
SexSpy.exe
Anal Explorer.exe
VirtualRape.exe
Hot Blondies.exe
Strip Kournikova.exe

W32/Oror-L also creates new versions of the mIRC files MIRC.INI and REMOTE.INI. These files allow a remote access to the computer via IRC channels.

The worm will attempt to terminate several anti-virus programs.