W32/Oror-R

Please follow the instructions for removing worms.

Please read the instructions for removing worms.

Make a note of the files detected as W32/Oror-R.

Editing the registry

You will need to edit the following registry entries.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadProfile
= <filename of worm>.exe powrprof.dll,LoadCurrentPwrScheme

and delete it if it exists.

Check the other entries in HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ and delete any references to any of the other files you deleted.

Locate the HKEY_CLASSES_ROOT entry:

HKCR\exefile\shell\open\command\(default) = <path to worm> "%1" %*

delete only the path to the worm. Do not delete anything else.

Close the registry editor.

Editing Win.ini

At the taskbar, right-click Start and select Explore. Search for Win.ini in the Windows folder and open it in Notepad. In the [windows] section, search for the line

run=<pathname of worm>

Delete this line.

Reboot your computer.

After disinfection

You should also do the following:

• Replace the mIRC file MIRC.INI from backups or from a fresh copy.
• Users of Microsoft Outlook and Outlook Express should install this patch: http://www.microsoft.com/technet/security/bulletin/MS01-027.asp
• Check your anti-virus software
• Check other computers on your network.

W32/Oror-R is an internet worm which spreads via network shares, file sharing on KaZaA networks and by emailing itself to addresses found within files on the local hard drive.

The email subject line, message text and attachment filename are randomly chosen from a variety of possibilities.

The worm attempts to exploit a known vulnerability in Internet Explorer versions 5.01 and 5.5, so that the attachment is launched automatically when the email isselected for viewing. To prevent reinfection, users of Microsoft Outlook and Outlook Express should install the following patch available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS01-027.asp.
This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this worm.

The worm copies itself to the Windows folder with a name that is a combination of 'Cmd', the computer's name backwards and "16.exe", "32.exe" or ".exe".
For example if the computer's name is "test", the worm copies itself as
Cmdtset16.exe.

The worm creates the registry entry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadProfile
= <filename of worm>.exe powrprof.dll,LoadCurrentPwrScheme

so that the worm is run automatically each time Windows is started.

The worm also prepends its pathname to the registry entry

HKCR\exefile\shell\open\command\

so that the worm is run whenever any EXE file is run.

W32/Oror-R chooses a random sub-folder of the Program Files folder and copies itself to this folder using the sub-folder name concatenated with "16.exe", "32.exe" or ".exe". If the chosen folder name contains spaces, only the beginning of the folder name is used, for example the worm may copy itself as \Program Files\Internet Explorer\Internet16.exe.

The worm adds the pathname of this executable under the registry entry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

so that this copy of the worm is run automatically on startup.

The worm also copies itself to the Windows System folder using the name of a randomly selected file from the System folder, but with "16.exe", "32.exe" or ".exe" in place of the file's extension.

The worm runs this copy of itself automatically on startup by adding the line

run=<pathname of worm>

to the [Windows] section of <Windows>\win.ini.

W32/Oror-R spreads over the local network by copying itself to selected shared folders using random filenames. During this process the worm may create additional entries under the registry entry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

and may drop a file named AUTORUN.INF in the root folder of shared drives in an attempt to run the worm via the AutoPlay option.

The worm attempts to spread via file sharing on KaZaA networks by creating the folder <Windows>\Profiles and copying itself to this folder using filenames randomly selected from the following list:

KaZaA Media Desktop v2.13
Serials2K 7.1 (FULL Updated)
Serials2003_8.0(14.02.03)
Dreamweaver_MX_Update
ACDSee
WinAmp_3.1_Cool
Download Accelerator 5.5
Nero Burning Rom 5.7.7.3
cReditCarDs_gEn
Mail HACK
WinXP Crack Password
DiViDiX Coder 5.0 Beta
Eminem BioData
DMX Desktop
NFS HP Bonus Cars
Counter Strike 1.5 (Hack)
WinZip Password Crack
WinZip 8.1(FULL)
DivX 5.5 Full
Nice Girl*
15 years old blonde*
Shakira Boobs
Pamela3D
Teen_Sex_Cam
Sarah fingers pussy on webcam*
Skinny Lolita French Teen*
17year old teen babysitter*
KamaSutra*
Teen raped in bathroom*
Silvia Saint Theme
Russian_Teen*
mariana hot virgin*
German Rape*
BlondeShow*
ClubExtreme
Story015
Gipsy
Elfbowl
snowball_fight
mTVCharts
BoxDave
Pamela*
KamaSutra
Fishfood
Story017
16Yr_Old_Teen*
mTV_Charts

optionally followed by:

7.1 FULL
v5.5
(zip)
3.0
(Eng)
(Cracked)
(sHow)
3D
v4.5
(Rated)
3.3
_v1.1
2.3

and with an EXE extension.

The worm makes the folder <Windows>\Profiles shareable on KaZaA networks by setting the following entries:

HKCU\Software\Kazaa\LocalContent\Dir0 = 012345:<Windows>\profiles

HKCU\Software\Kazaa\LocalContent\DisableSharing = 0

W32/Oror-R creates a new version of the mIRC initialisation file <mIRC>\Mirc.ini and may also replace other files with an extension of INI in the mIRC folder.

The new INI files allow a remote intruder backdoor access to the computer via IRC channels.

The worm will attempt to terminate selected Windows based anti-virus programs.

The worm creates several configuration files in the Windows and System folders using randomly generated filenames.