W32/Ronoper-G

Category: Viruses and SpywareProtection available since:27 Aug 2003 00:00:00 (GMT)
Type: Win32 wormLast Updated:27 Aug 2003 00:00:00 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Ronoper-G is an internet worm and backdoor Trojan, allowing a remote intruder to access and control the computer via IRC channels.

W32/Ronoper-G spreads via file sharing on P2P networks and by emailing itself to addresses found within the message folders of MAPI based email clients such as Microsoft Outlook or Outlook Express.

The subject line of the email is "Re:", the message text is "Look at The Attachments for Secret Pictures of My Girl Friend.." and the attached file is Melda.scr.

When first run W32/Ronoper-G copies itself to the Windows folder as Melda.scr and Systools.exe and creates the following registry entry so that Systools.exe is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System Toolkit
= <WINDOWS>\Systools.exe

Each time the worm is run it tries to connect to a remote IRC server and join a specific channel. The worm then runs in the background as a server process, listening for commands to execute.

W32/Ronoper-G also creates a sub-folder of the Windows TEMP folder named \Binary32\ and copies itself to this folder using a random 6-character filename with an extension of EXE.

If Winzip and/or WinRar are installed on the computer, the worm may create copies of itself in the Windows folder named Melda.Zip and Melda.Rar.

W32/Ronoper-G copies itself to the downloads, transfer and shared folders belonging to the P2P applications KaZaA, eDonkey2000, Morpheus, Shareaza, Limewire and iMesh, using the following filenames:

HardCore - College Webcam.scr
HardCore Action In The School.scr
Hotmail Hack.exe
Norton Internet Security 2003 professional.exe
Penis Enlargement Secrets.scr
PornStart in Hardcore Action.scr
Spy Cam - Girl ???????????.scr
StarCraft Battle.net Keygen.exe
StarCraft Maphack.exe
Warcraft 3 Battle.net Key generator.exe
WarCraft 3 MapHack.exe
Windows XP Key Generator.exe
Windows XP Keygen.exe

W32/Ronoper-G also prepends itself to files with an extension of EXE in the aforementioned P2P folders and in the \My Downloads\ and Internet Explorer \Download Directory\ folders.

W32/Ronoper-G enables file sharing on KaZaA networks by setting the registry entry HKCU\Software\Kazaa\localcontent\Disablesharing = 0

W32/Ronoper-G drops the IRC script SysScript.exe to the Windows folder and may use this script to send itself via IRC channels as Melda.scr or Melda.Zip.

W32/Ronoper-G also sets the following registry entries:

HKLM\Sofware\Mirabilis\ICQ\Agent\Apps\IcqWinCfg\ Enable = "Yes" HKLM\Sofware\Mirabilis\ICQ\Agent\Apps\IcqWinCfg\ Parameters HKLM\Sofware\Mirabilis\ICQ\Agent\Apps\IcqWinCfg\
Pathname= <pathname of worm>

HKLM\Sofware\Mirabilis\ICQ\Agent\Apps\IcqWinCfg\ Startup HKCU\Sofware\Microsoft\Windows\Currentversion\Policies\System\
DisableRegistryTools = 1

HKCU\Sofware\Microsoft\Windows\Currentversion\Policies\ System\NoDispCPL HKCU\Sofware\Microsoft\Windows\Currentversion\Explorer\ Advanced\Hidden = 2

W32/Ronoper-G terminates selected anti-virus applications and tries to prevent them from running on startup by deleting anti-virus sub-entries from:

HKLM\Sofware\Microsoft\Windows\CurrentVersion\Run HKLM\Sofware\Microsoft\Windows\CurrentVersion\RunServices