W32/Oror.b@MM

This is a mass-mailing worm that also spreads via mIRC, KaZaa, network shares, and mapped drives. It can utilize both SMTP and MAPI messaging. The virus also drops a mIRC bot script and will also close windows and deletes certain security software files and firewall programs. Upon executing the virus, the following fake error message is displayed:

The virus may arrive in an email message containing the following random information:

Subject:

• Zdrasti
• Ohoo
• Ei dupe
• ZzZz
• Vajno
• Bla Bla
• HeY
• BlaBla
• yoOo
• Wow
• Hi

Body:

• Hey you!! Wasssssssuppppppp :)))) Where are you? What are you doing? I've just got high in the sky, my oh my :)) It's like I don't care about nothing man :)) sMiLe :oP~pPPPpp I send you a sexy, little thing :)) Everything is just an illusion. Believe me.. It's time to say goodbye now.. See you
• Hello :>> How are you? What're you doing :) Do you have Blade 2? I've just watched it twice, it's marvellous! You can't guess what I've found.. A working Credit Card generator :))) I purchased a bride from Russia yesterday :) LoL.. I gave a fake address of course :))) Promise me not to send it to anybody! Don't go too far and watch out :)) Bye..
• YoOo :)) What a nice day, what a nice time :) What a nice world :)) Do you have Blade 2? I've just watched it twice, it's marvellous! lol ~pPp Do you have any ATC's mp3z? CooL :))) I've found them with this program, it's like Napster, but it's legal :)) P.S. Download ATC - Why oh why.mp3 !!! Bye ~~~~ppPpP ;)
• There is a new, dangerous virus in the net. It's called Roro and it's using IRC to infect computers. The virus deletes movies, music and system files. To prevent from infecting, install McAfee Anti-Script 2002. It's a 30-days demo.. So, how are you? Good, Bad? I'm oK. I wanted to write you a longer letter, but i didn't have enough time.. sorry. Bye
• Hey :) Wasupp ~Pp I wanted to write you a letter, but i didn't know what to talk about actually :) Have you ever done an IQ test, i've just scored 120 points :) I'm not sure if this is good or bad, who cares :) Have you visited %s :) Finally, how are you:) i'll be very happy if you send me 1,2 funny cards :)))) bye! :)
• Hi buddy, what's up :)) I've only wanted to remind you not to forget about our little, dirty secret :) And don't tell anybody :Ppp. Have you seen this site - %s c00l :) Leave this away, how are you? Send me sth cool, plzz :)
• HeY.. Buddz what'z up :) How are you? I'm fine, 10x!! My friend Nina is here and we are.. You know :) Lalala !! Be happy, don't worry ~pPp. Btw check this site - %s, it's fresh :)) I'm a little drunk and i've gotta go now !! Wish me luck :)) Cya
• Hi, kak e :) ko si praikash? az si slusham muzichka - ATC i Mortal Kombat Soundtrack - Varhovni sa, napravo izbuhnah :))) Drapnah si gi ot neta s taq programka - ima 200 kubriliona klasacii :) Naposledak muzikata e edno ot malkoto mi udovolstviq P.S. Obezatelno si drapni ATC - Why oh why.mp3 :))Chao, doskoro!!
• Ima nov opasen virus v neta! Razprostranqva se predimno po IRC i ICQ. Vnimavai da ne se zarazish, zashtoto iztriva Mp3-ki, Filmi i Dokumenti. Izpratih ti patch, koito shte te pazi ot zarazqvane. Iskah da napisha po-dulgo pismo, no nqmah vreme, sorka.. Naposledak imam adski mnogo rabota nalqvo nadqsno :)) Inache kak varvi? Chao i watch out :)))
• Zdrasti, kak q karash :) az sam dobre, makar che naposledak imam malko problemi. Tvarde mnogo mi se strupa navednaj, udarih si rakata ei sq i mnogo me boli.. Kakvo da se pravi, takav e jivota.. Vchera namerih nqkav generator na kreditni karti i mai bachka, samo edin put go probvah ama stana, vij dali pri teb sha raboti i umnata :) Ai doskoro :)) Chao ti
• Zdr, izpratih na vsichki edna programka, mnoo qka, btw to imeto si pokazva. Subject-a e ot tam i ima i drugi mnogo qki misli. Moje da pokaje nai-podhodqshtiq partnior v liubofta :)) Ujasno e kak liubofta moje da ubie vsichko v teb.. Za shtastie ne vinagi e taka :) Inache nishto novo, karam q nqkak.. Sega trqbva da izlizq za malko tai che bye :))
• Zdrasti :)) Nqma da povqrvash kakvo mi se sluchi neska :) Vidqh Slavi Trifonov i nqkvi mnoo qki madami s nego :))) Ko shi kaish a? Misleh da mu iskam avtograf ama me dosramq :(( Karai, drug pat ~pP. Begai na %s :) Malko e stranen, no ne e losh. Hmm, ti ko praish? Pishi mi :) Chao
• Zdravei, zdrasti, dai pari za pasti :)) Ko praish? Za teb neznam ama v momenta se chustvam mnoo qko i reshih da ti pisha :) Kolko ti e rekorda na minichkite? Toku shto na Expert razminirah za 2 minuti :))) Ei sq smqtam da si vzema nqkoi qk film i da gledam. Hodil li si na %s - Mnoo me kefi :)) Za drugo ne se seshtam tai che chao za sega :))
• Hey, kak varvi, neshto novo ima li :) Adski mi sa spi, daje ei sq smqtam da si legna ama purvo shte si vzema edin dush :)) Skoro shti pratq onva deto obeshtah, za sq mojesh da hvarlish edno oko na %s - ako imash nqkvi predlojeniq, komentari ili kakvoto i da e pishi mi :)) Aide doskoro i umnata ~pPp

The virus may also drop the following files in the KaZaa shared folder:

• Password Recovery v4.5.exe
• Star Craft 2 Trailer.exe
• WWF!!_The_ROCK(sHOw).exe
• cRedit CarDs gEn v1.2.exe
• WinZip 8.2 (Cracked).exe
• GTA 3 Bonus Cars.exe
• Eminem Desktop.exe
• DMX tHeMe (full).exe
• NFS 5 Bonus Cars.exe
• Counter Strike 1.5 (Editor).exe
• Madonna - My Life (Review).exe
• DivX 5.4 Bundle.exe
• KaZaA Media Desktop v1.8.3.exe
• Win XP key gen 2.1B.exe
• Serials 2002 Update.exe

• C:\Program Files\Online Services = C:\Program Files\Online Services\Online Services 98.exe

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\Online Services = C:\Program Files\Online Services\Online Services 98.exe

• run=C:\WINDOWS\SYSTEM\MSPRINT 98.exe

The virus will overwrite MIRC files (mirc.ini, remotes.ini, controls.ini, versions.ini, notes.ini, url.ini, version.ini) to create an IRC bot. This bot allows a remote attacker to use the compromised system to perform various functions, such as:

• Log on to IRC channels
• Upload/download files
• Initiate a Denial of Service attack
• Access websites
• Mass-mail the worm via SMTP

W32/Oror.b@MM copies itself as Rundll16.exe in the Windows directory and modifies the registry setting:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\LoadCurrentProfile ="Rundll16.exe powprof.dll,LoadCurrentUserProfile"

The virus may close windows, whose title contains any of the following strings:

• black
• panda
• shield
• guard
• scan
• mcafee
• nai_vs_stat
• iomon
• navap
• avp
• alarm
• f-prot
• secure
• labs
• antivir

It will also search for folders and subfolders that contain any of the following strings and delete these and files within:

• "virus" and "norton"
• "ice" and "black"
• pc
• cillin
• mcafee
• "labs" and "zone"
• guard
• worm
• antivir
• f-secure
• f-prot
• kaspers
• avp
• panda

This worm arrives via KaZaa, email, or IRC. Executing an infected file infects the local system.

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations