Category: Viruses and Spyware Protection available since:16 Jun 2003 00:00:00 (GMT)
Type: Win32 worm Last Updated:16 Jun 2003 00:00:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Ronoper-A is an internet worm and backdoor Trojan which allows a remote intruder to access and control the computer via IRC channels.

W32/Ronoper-A emails itself to addresses found within the message folders of MAPI based email clients such as Microsoft Outlook/Outlook Express. The subject of the email is "Re:", the message text is "I Hope you reply me. Thank you very much for reading my msg Bye." and the attached file is WinCfg32.exe.

When first run, the worm copies itself to the Windows folder as WinCfg32.exe and creates the registry entry:

WinCfg32 = C:\WINDOWS\WinCfg32.exe

so that WinCfg32.exe is run automatically each time Windows is started.

Each time W32/Ronoper-A is run it tries to connect to a remote IRC server and join a specific channel. The worm then runs in the background as a server process, listening for commands to execute.

W32/Ronoper-A also attempts to dynamically update itself by downloading the executable www.kamerali.com/kit/security.exe to the Windows temp folder and then running it. At time of writing Sophos Anti-virus detects www.kamerali.com/kit/security.exe as Troj/Ronoper-B.