病毒名称:
W32.HLLW.Oror.B@mm
类别: 蠕虫
病毒资料:
病毒危害:
1.发送邮件:会向邮箱及Windows地址簿中的所有地址发送大量病毒邮件;
2.删除文件:会删除反病毒文件;
3.修改文件:修改Win.ini使得蠕虫能随Windows启动而运行;
4.泄露数据:会将缓存Frethem/index.htm" target="_blank" style='text-decoration: underline;color: #0000FF'>密码发送给蠕虫作者;
5.危及电脑安全:会删除“安全程序”文件,关闭安全窗口;
病毒传播
1.电子邮件
主题:众多
附件:众多
附件大小: 131,072字节,139,264字节,72,192字节,131,072字节
2.共享磁盘:会将自己复制到本地及网络磁盘上
技术特征:
该蠕虫不仅能过邮件传播,还会利用mIRC、网络共享及映射驱动器传播。它会试图关闭各种反病毒软件及防火墙程序窗口,并删除这些反病毒软件及防火墙程序。
其病毒邮件特征为;
主题: Blondinkii
附件: Blondies.exe
主题: <被感染机器当前用户名> sent you a Yahoo! Greeting_
附件: Yahoo!Tomcats.exe
主题: Microsoft Bulgaria_
附件: IE_0274_bg.exe
主题: Vajno_
附件: IE50_032_Setup.exe
主题: WinAMP Team_
附件: Iguana1.0_SKIN.exe
主题: Virus Alert_
附件: IE_0276_Setup.exe
主题: Yahoo! Toolbar_
附件: Yahoo!Toolbar.exe
蠕虫运行后,会:
1.显示假的报错窗口;
2.以随机文件名将自己复制到Windows目录下。
3.添加键值LoadCurrentProfile <随机文件名> powprof.dll,LoadCurrentUserProfile
至注册表HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
使得蠕虫能随Windows启动而自己动运行。
4.从C:%system%文件夹下随机选取一个文件名并将自己复制为如下之一:
C:%system%<所选择的文件名>2k<扩展名>
C:%system%<所选择的文件名>16<扩展名>
C:%system%<所选择的文件名>32<扩展名>
如,蠕虫找到这样一个文件C:WindowsSystemNetapi.exe,它则会将自己复制成C:WindowsSystemNetapi16.exe。
5.插入如下代码至C:WindowsWin.ini,导致病毒副本在Windows 95/98/Me每次重启时会自动运行:
[windows]
run=C:%System%<蠕虫文件>。
6.随机选择C:%ProgramFiles%下的一个子文件夹,并将自己复制到此文件夹下,以文件夹相同名称加上 "2k","16",或"32"作为其文件名。然后在注册表中添加键值指向此病毒副本:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
如,蠕虫找到C:Program FilesInternet EXPlorer 文件夹,则会复制成C:Program FilesInternet ExplorerInternet Explorer2k.exe 并添加键值
Internet Explorer C:Program FilesInternet explorerInternet Explorer2K.exe
至注册表HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
7.关闭标题栏含有如下字符的所有窗口:
black
panda
shield
scan
McAfee
labs
zone
alarm
agent
avp
msie
navap
mstask
webcheck
iomon
nai_vs_stat
搜索含有如下字符串的所有文件夹及其子文件夹,并删除这些文件夹的所有文件:
labs and zone
kASPers
mcafee
panda
avp
pc
cillin
black and ice
norton and virus
8.向外发送病毒邮件,其邮件是随机创建的。
主题:
主题从如下文字中任选:
HeY
ZzZz
Bla Bla
HoWie
Happy
Hi Again
Wow
Hi
Hello
Hey Ya
Boom
Hi There
Zdrasti
Zdr Otnovo
Ohoo
Ei dupe
Pisamce
TinKi WinKy
ZzZz
Bla Bla
Hey
Privet
Boom
之后加上如下字符串:
..
!!
:)
;))
:pPpP
~pPp
:>
!
;)
正文:
正文从如下文字中任选:
1.Zdravei :)) Da ne me zabravi ve4e :) Ko praish? Za teb neznam ama v momenta se chustvam mnoo qko i reshih da ti pisha :) Kolko ti e rekorda na minichkite? Toku shto na Expert razminirah za 2 minuti :)) Ei sq smqtam da si vzema nqkoi qk film i da gledam. Hodil li si na %s - Mnoo me kefi :)) Za drugo ne se seshtam tai che chao za sega :)) I da pishesh :pP
2.Hey :) Kak si? Otdavna ne sme se chuvali :)) Kak q karash, neshto novo ima li? Nqma da povqrvash kakvo mi se slUChi neska :) Vidqh Slavi Trifonov i nqkvi mnoo qki madami s nego :))) Ko shi kajesh a? Misleh da mu iskam avtograf ama me dosramq :(( Karai, drug pat ~pP. Skoro shti pratq onva deto obeshtah, za sq mojesh da hvarlish edno oko na %s - ako imash nqkvi predlojeniq pishi mi :)) Aide doskoro i umnata ~pP
3.Ekiput na Kefche.com ima radostta da pozdravi vsichki fenove na Kefcheto s 1-ta godishnina ot puskaneto na site-a.
Nie se prevurnahme v nai-dobriq i poseshtavan bg site za zabavleniq i igri. Ot samoto si nachalo Kefche.com ima za cel da vi nosi samo i edinstveno smqh i zabava, nadqvame se che sme postignali celite si :))
Po sluchai godishninata, ekiput ni poe iniciativata da izprashta vsqka sedmica nai-dobrite flash-cheta i igrichki na vsichki user-i poseshtavashti Kefche-to.
Nadqvame se da vi haresa i tova da bude samo nachaloto na edno novo zabavlenie :))
-----------------
Kefche.com Team.
4.Zdrasti, ko staa :))) Baq vreme ne sme se chuvali. Beshe mi skuchno i si vikam shto da ne napisha nqkoi drugo pismo :)) Sq i tva daskalo i napravo ujas, ne sa jivee :) Ti ostai drugoto ami i e studeno.. ~PpPp. Dano idva vakanciqta po skoro :)) Pishi neshto interesno, kak q karash, neshto novo ima li :) Pratih ti onva deto obeshtah, qko a :)) Aide i chakam..
5.Hey :) Wasupp ~Pp I wanted to write you a letter, but i didn‘t know what to talk about actually :) Have you ever done an IQ test? I‘ve just scored 120 points :) I‘m not sure if this good or bad is,but who cares :) Have you visited %s :) Finally, how are you:) I‘ll be very happy if you send me 1,2 funny cards :)) bye! :)
6.Hi again :)) Where are you? Don‘t you chat any more? I haven‘t seen you so long.. Well, I‘ve got a lot to tell you about. The Summer vacation was too good to be true. Beach, disco‘s, friends.. Unfortunately, it‘s Winter now and the temperatures here are very low. I was ill almost 2 weeks. Quite unpleasant :(( Let‘s talk about you :) Are you oK? Are you in love :)) I sent you a surprise :)) There are cool thoughts, especially about love. It‘s nice. I‘m a little bit bored of these stupid computers, but I‘m waiting for the reply :)) Bye!
7.Hi again :)) Where are you? Don‘t you chat any more? I haven‘t seen you so long :)) Well, I‘ve got a lot to tell you about. The Summer vacation was too good to be true. Beach, disco‘s, friends.. Unfortunately, it‘s Winter now and the temperatures here are very low. I was ill almost 2 weeks. Quite unpleasant :(( Have you visited . A little bit strange, but nice :)) Finally, how are you? Write to me :)) Byeee :pP
随后加上如下语句:
P.S. Hvarli edno oko na :))
P.S. Bqgai na mnoo zdravo flash4e ima :pP
P.S. Be happy, don‘t worry ~pPp. Check this - Cool :))
P.S. Have you visited :) Co0l :))
附件:
附件名从如下文字中任选:
BoxDave_
PcDudes
Pamela 3D_
Kama Sutra
LaFemmeNikita
Fishfood
install_en_
Story017_
Inter012_
Actu002_
Chess
之后加上:
(sHow)
3D
(Eng)
2.3
扩展名为.exe.
或:
install_en_
ClubExtreme
WWF_The_ROCK
EminemDesktop
DMX tHeMe
Inter012_
Story017_
Gipsy
sound_brake_
Elfbowl
Goggles
snowball_fight_
Chess
之后加上:
2.1
(zip)
(sHow)
3D
_zip
(Eng)
_v1.1
扩展名为.exe
或:
PcDudes
BritneyUltimate
Pamela 3D_
Britney Suxx
KamaSutra
LaFemmeNikita
Teen Sex Cam
Lolita
Pam Anderson Theme
Sexy Teens Desktop
SexSpy
Anal Explorer
VirtualRape
Hot Blondies
Strip Kournikova
之后加上:
(sHow)
3D
3.0
(Eng)
v4.5
(Rated)
扩展名为.exe
或;
cRedit_CarDs_gEn
MeGa HACK
Zip PassWord Recovery
GTA 3 Bonus Cars(part1)_
EminemDesktop
DMX tHeMe
NFS 5 Bonus Cars_
Counter Strike 1.5 (Editor)_
Madonna Desktop
WinZip 8.2_
DivX 5.4 Bundle_
KaZaA Media Desktop v2.0.8_
Serials 2K 7.2 (by SNTeam)_
Serials2002_8.0(17.08.02)_
Dreamweaver_5.0_Patch_
ACDSee
WinAmp_3.2_Cool_
Download Accelerator 5.5_
Nero Burning Rom 5.6.0.3_
之后加上:
7.1 FULL
v5.5
(zip)
3.0
(Eng)
(Cracked)
扩展名为.exe
固定格式的邮件:
主题: Blondinkii
正文:
Hey :)) Kak q karash? Pomnish li me oshte :)) Nadqvam se che da. Baq vreme ne sme sa chuvali.. Neshto novo ima li? Namerih edna mnoo qka programka
i neznam zashto, no mi napomni za teb :))
Kakvo pravi blondinka kato rodi bliznaci? - Chudi se koi e vtoriq tatko :) Kakva e razlikata mejdu 10 ovce i 3 blondinki? Otgovor: 7 Kak mojesh da razsmeesh blondinka v petak? - Kato i razkajesh vic vav vtornik :)
Kefqt li ta vicovete? Shegichka de :) Razkazva vicove na 5 minuti :)) Posmqh se za baq vreme napred :pPpP Haide bye za sega, i da pishesh :))
附件: Blondies.exe
主题: Yahoo! Games_
正文:
Yahoo! Team is proud to present our new surprise for clients of Yahoo! and Yahoo! Mail.
We plan to send you the best Yahoo! Games weekly.This new service is free and it‘s a gift for the 5th anniversary of Yahoo!. We hope that you would like it. The whole Yahoo! Team want to express our gratitude to you, the people who help us to improve Yahoo! so much, that it became the most popular worldwide portal.
Thank You!
We do our best to serve you.
-------------
Yahoo! Team.
Yahoo.com
附件: Yahoo!Chess.exe
主题: sent you a Yahoo! Greeting_
正文:
Surprise! You‘ve just received a Yahoo! Greeting from "" ()!
This is an interactive greeting card and requires Flash Media Player.
Enjoy!
The Yahoo! Greetings Team.
-----------------
Yahoo! Greetings is a free service. If you‘d like to send someone a Yahoo! Greeting, you can do so at http://greetings.yahoo.com
附件: Yahoo!Tomcats.exe
主题: Microsoft Bulgaria_
正文:
Blagodarenie na dulgogodishnite tradicii na Microsoft v Bulgaria i dobrata i suvestna rabota na vsichki neini podchineni, mojem nai-nakraq da pozdravim bulgarskiq potrebitel s prevod na Internet Explorer na bulgarski.
Tova e edno uspeshno produljenie na iniciativata za prevejdane na Ms Office 2000 ® na rodniq ni ezik. Update-a e bezplaten i e podaruk po sluchai 10 godishninata na Microsoft v Bulgaria.
Nadqvame se bulgarskite potrebiteli da ostanat dovolni, koeto shte bude nai-golemiq podaruk za nas.
---------------------
Microsoft, Bulgaria.
附件: IE_0274_bg.exe
主题: Vajno_
正文:
Panda Antivirus preduprejdava za nalichieto na nov virus v internet, narechen W32.Roro@mm. Razprostranqva se predimno po IRC i chrez zarazeni internet stranici. Sled zarazqvaneto toi iztriva mp3-ki, filmi i dokumenti.
Poradi golemiq broi zarazeni bulgari prez poslednite nqkolko dena, Panda Antivirus zapochna razprostranenieto na patch, koito opravq bug v Internet Explorer 5.5 i minali versii, pozvolqvasht na stranici sas zlovredno sudurjanie da izpulnqvat komandi vurhu posetitelite.
Druga nasha preporuka e ako ste veche zarazeni da ne opitvate da mahate virusa ruchno, a samo s antivirusna programa, poneje pri neuspeshen opit za premahvane W32.Roro iztriva razlichni vidove failove na operacionnata sistema.
-----------------
Panda Antivirus, Bulgaria.
Computel.bg
附件: IE50_032_Setup.exe
主题: WinAmp Team_
正文:
Hello, WinAmp User. WinAmp Team is proud to present our new surprise for users of WinAmp. WinAmp 3.0 Final has been just released and we believe that it will be the player you‘ve ever dreamed about.
We plan to start a new tradition, sending the best skin or add-on to our users every week. This new service is free and we hope that you would like it.
Everyone can offer us suggestions.
We do our best to serve you.
----------------
WinAmp Team.
WinAmp.com
附件: Iguana1.0_skin.exe
主题: Blondes Forever
正文:
Hey, whatz up :)) Where are you? Don‘t you chat any more? I haven‘t seen you so long. Read this :))
- What do blondes wear behind their ears to attract men? Their ankles!!
- Why did god invent the female orgasm? So blondes know when to stop screwing!!
- What is a blond with hair black colored? Artificial intelligence!
Blondes forever!! :) Time off, i must go now, but i‘ll be very happy if you write to me soon :) Bye bye :))
附件: Blondes.exe
主题: Virus Alert_
正文:
McAfee Antivirus warns about a new virus, called W32.Roro@mm. It is a high risk worm and it‘s using IRC and internet pages to infect computers. The virus deletes movies, music and system files.
Due to the significant increase of infected users, Microsoft Corporation, with the collaboration of McAfee Antivirus, supports clients of Microsoft Windows with à patch, which fixes a bug in Internet Explorer 5.5 or minor versions. This bug allows internet pages to grant Access to local resources of visitors.
-----------------
McAfee Antivirus
McAfee.com
附件: IE_0276_Setup.exe
主题: Yahoo! Toolbar_
正文:
Yahoo! Team is proud to present our new surprise for clients of Yahoo! and Yahoo! Mail. Yahoo! Toolbar is an innovative technology, which helps you to access Yahoo! Services easier than ever. It is free and is a gift for the 5th anniversary of Yahoo!.We hope that you would like it. The whole Yahoo! Team want to express our gratitude to you, the people who help us to improve Yahoo! so much, that it became the most popular worldwide portal.
Thank You!
We do our best to serve you.
-------------
Yahoo! Team.
Yahoo.com
附件: Yahoo!Toolbar.exe
9.将自己复制到网络共享及映射驱动器上,其文件名以如下随机方式创建:
(1)使用如下之一作为文件名:
BoxDave_
PcDudes
Pamela 3D_
Kama Sutra
LaFemmeNikita
Fishfood
install_en_
Story017_
Inter012_
Actu002_
Chess
并加上:
(sHow)
3D
(Eng)
2.3
扩展名为.exe
或:
install_en_
ClubExtreme
WWF_The_ROCK
EminemDesktop
DMX tHeMe
Inter012_
Story017_
Gipsy
sound_brake_
Elfbowl
Goggles
snowball_fight_
Chess
并加上:
2.1
(zip)
(sHow)
3D
_zip
(Eng)
_v1.1
扩展名为.exe
或:
PcDudes
BritneyUltimate
Pamela 3D_
Britney Suxx
KamaSutra
LaFemmeNikita
Teen Sex Cam
Lolita
Pam Anderson Theme
Sexy Teens Desktop
SexSpy
Anal Explorer
VirtualRape
Hot Blondies
Strip Kournikova
并加上:
(sHow)
3D
3.0
(Eng)
v4.5
(Rated)
扩展名为.exe
或:
cRedit_CarDs_gEn
MeGa HACK
Zip Password Recovery
GTA 3 Bonus Cars(part1)_
EminemDesktop
DMX tHeMe
NFS 5 Bonus Cars_
Counter Strike 1.5 (Editor)_
Madonna Desktop
WinZip 8.2_
DivX 5.4 Bundle_
KaZaA Media Desktop v2.0.8_
Serials 2K 7.2 (by SNTeam)_
Serials2002_8.0(17.08.02)_
Dreamweaver_5.0_Patch_
ACDSee
WinAmp_3.2_Cool_
Download Accelerator 5.5_
Nero Burning Rom 5.6.0.3_
并加上:
7.1 FULL
v5.5
(zip)
3.0
(Eng)
(Cracked)
扩展名为.exe
10.能过覆盖mIRC脚本文件,它还会向mIRC用户发送病毒副本。
病毒的清除法:
病毒演示:
病毒FAQ:
别名:I-Worm.Roron.12 [AVP]
发现日期:
2002-11-6
|
