Ronoper | |
---|---|
Type | Multi-vector worm |
Creator | |
Date Discovered | 2002.12.18 |
Place of Origin | Turkey |
Source Language | Delphi |
Platform | MS Windows |
File Type(s) | .exe |
Infection Length | 32,768 bytes |
Reported Costs |
Ronoper is a worm that spreads over email and network shares. It also downloads a trojan that allows a remote connection into the infected system. It has many variants, some of which disable security software and add other ways of spreading, though its email spreading is always a very simple method. Ronoper was first seen in December of 2002 and likely comes from Turkey.
Behavior
Ronoper arrives in an email with a subject of "Re:" and attachment of "WinCfg32.exe". The message body is "I Hope you reply me. Thank you very much for reading my msg Bye." The attachment is a 16 kilobyte PE .exe, and around 50 kilobytes unpacked.
The worm must be downloaded and run by the user for it to continue. It copies itself to the Windows folder as WinCfg32.exe and creates a local machine run key with the file path as a value, ensuring it runs when the computer is started.
To spread itself, the worm uses Windows MAPI features to reply to all messages in the mailboxes.
Backdoor Trojan
The worm has a routine that installs a backdoor trojan. It connects to the web page ww.kamerali.com/kit/, gets the file security.exe from there, and runs it. The page appears to be hosted in Turkey. This file allows it to connect to IRC channels, restart infected systems and collect information about the infected system.
Variants
Ronoper produced enough variants to go through the alphabet once. Most variants are totally similar to the original with the exception of a few file name differences. One variant (detected by Norton as the original) disables antivirus programs.
Ronoper.T
Trend Micro gives this variant the name "Dada". This version attempts to disable several antivirus and firewall products. It also adds the ability to spread over IRC and KaZaa.
Origin and Name
As the website it connects to appears to be in Turkey, that is likely where the worm originates. The title of the webpage it accesses is "Melis Guven, both common Turkish given and family names. It is named for the "ronop" IRC channel it tries to join.
Sources
Kaspersky Lab Polska, I-Worm.Ronoper - instaluje szkodliwe programy.
Sophos Antivirus, W32/Ronoper-A. 2003.06.16
Atli Gudmondsson. Symantec, W32.Ronoper.Worm. 2007.02.13
Trend Micro, WORM_DADA.A
Trend Micro, WORM_KAMERAL.A.
Spyware32, I-Worm.Ronoper.