Ronoper
Ronoper
Type Multi-vector worm
Creator
Date Discovered 2002.12.18
Place of Origin Turkey
Source Language Delphi
Platform MS Windows
File Type(s) .exe
Infection Length 32,768 bytes
Reported Costs

Ronoper is a worm that spreads over email and network shares. It also downloads a trojan that allows a remote connection into the infected system. It has many variants, some of which disable security software and add other ways of spreading, though its email spreading is always a very simple method. Ronoper was first seen in December of 2002 and likely comes from Turkey.

Behavior

Ronoper arrives in an email with a subject of "Re:" and attachment of "WinCfg32.exe". The message body is "I Hope you reply me. Thank you very much for reading my msg Bye." The attachment is a 16 kilobyte PE .exe, and around 50 kilobytes unpacked.

The worm must be downloaded and run by the user for it to continue. It copies itself to the Windows folder as WinCfg32.exe and creates a local machine run key with the file path as a value, ensuring it runs when the computer is started.

To spread itself, the worm uses Windows MAPI features to reply to all messages in the mailboxes.

Backdoor Trojan

The worm has a routine that installs a backdoor trojan. It connects to the web page ww.kamerali.com/kit/, gets the file security.exe from there, and runs it. The page appears to be hosted in Turkey. This file allows it to connect to IRC channels, restart infected systems and collect information about the infected system.

Variants

Ronoper produced enough variants to go through the alphabet once. Most variants are totally similar to the original with the exception of a few file name differences. One variant (detected by Norton as the original) disables antivirus programs.

Ronoper.T

Trend Micro gives this variant the name "Dada". This version attempts to disable several antivirus and firewall products. It also adds the ability to spread over IRC and KaZaa.

Origin and Name

As the website it connects to appears to be in Turkey, that is likely where the worm originates. The title of the webpage it accesses is "Melis Guven, both common Turkish given and family names. It is named for the "ronop" IRC channel it tries to join.

Sources

Kaspersky Lab Polska, I-Worm.Ronoper - instaluje szkodliwe programy.

Sophos Antivirus, W32/Ronoper-A. 2003.06.16

Atli Gudmondsson. Symantec, W32.Ronoper.Worm. 2007.02.13

Archive of the trojan site.

Trend Micro, WORM_DADA.A

Trend Micro, WORM_KAMERAL.A.

Spyware32, I-Worm.Ronoper.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License