Destructive functions and features include a built-in back-door intended for unsanctioned remote control of victim computers and the ability to spread via many communication channels - all of which places this worm in an especially high danger category.
"Roron" spreads using several data transfer channels: via email as an attached file, via local area networks and the KaZaA file-sharing network. Systems become infected only if a user manually launches (opens) the file containing the worm that was received via one of the aforementioned sources. When penetrating a computer, "Roron" creates a copy of itself in the Windows system directory and Program Files and then registers one of these files in the system registry's auto-run key. In this way the worm ensures its activation the each time the system is booted. Sometimes, when infecting, the worm displays a false warning:
WinZip Self-Extractor License Confirmation
Your version of WinZip Self-Extractor is not licensed, or the license information is missing or corrupted. Please contact the program vendor or the web site (www.WinZip.com) for additional information.
After the infection routine is complete, "Roron" activates its spreading routines:
* To spread via e-mail it clandestinely creates a message that may have different subjects, texts and attached file names. Then it sends this message to the recipients whose adresses it found in the InBox folder of the infected computer.
* To spread via a local area networks the worm searches available network resources, allocates those having file-sharing resources and copies itself under a random name. This way "Roron" may spawn its copies to the public file servers that may lead other network users to download these files and infect their own machines.
* To spread via the KaZaA network the worm searches for KaZaA file-sharing folders where it inserts its copy, thus making it available for download by other KaZaA users.
"Roron" carries a very impressive armory of extremely dangerous payload and backdoor functions. In case the infected computer has a mIRC client installed (software used to access Internet Relay Chat (IRC) channels) the worm infects it with a backdoor component. This allows a mal-intended person to gain unauthorized remote control over the infected computer: unnoticed a malefactor can download, upload, execute files, send out e-mail messages on behalf of the user, etc. The backdoor component also carries a feature for performing DoS-attacks (Denial of Service) from the infected computer launched against other computers specified by the hacker. Therefore, if "Roron" causes a global outbreak infecting the high number of systems such as Tanatos (BugBear) or Lentin (Yaha), it may enable hackers to perform massive distributed DoS-attacks even more powerful than the huge attack occurring two weeks ago when 13 Internet "backbone" servers were attacked, ultimately bringing nine of them temporarily down.
"Roron" also destroys data stored on hard drives. This payload is activated in case at least one of the following conditions is fulfilled:
* the current system date is the 9th or 19th (regardless of the current month)
* one of the worm's core components is deleted (WINFILE.DLL)
* the worm's Windows system registry keys are deleted
* randomly, depending on the worm's internal counter
"Roron" also searches for some anti-virus software programs in the operating memory and deactivates them. In addition the worm tries to delete this anti-virus software from the hard drive.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.