Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Oror


Threat Risk LOW LOW
Destructivity HIGH HIGH
Payload Deletes files
Detection files published
Description created 07 Nov 2002 04:49:00
Description updated 30 May 2003 05:37:00
Malware type WORM
Alias I-Worm.Roron
Spreading mechanism EMAIL
Summary None



The worm spreads through mail, IRC, regular shared network drives and via the Kazaa file sharing network. When the worm spreads via email the user(s) may be infected by only previewing or opening the mail in Outlook/Outlook Express. This is accomplished using a known security hole "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment".Information and patch is available from: the worm is first run, it will install itself in memory. The process will not be visible in the task list if on Win9x/ME. It will define a mutex ,"DangalakMutex", to check whether it is already running; if so it terminates.It will now set up three concurrent threads. The first monitors the Registry to check whether there are any changes to the worm's own registry keys. The second monitors the Windows directory to check whether there are any changes to the files installed there. The third thread does the actual spreading of the worm.

Payload Details

In several occasions these worms will delete files on the local system.

- date-triggered payloads for the different variants:

A: Date is 9th, 19th or 29th
B: Date is 25th
C: Date is 9th or 19th
D: Date is 19th
E: Date is 25th
F: Date is 25th
G: Date is 29th
H: Date is 29th
I: Date is 29th

the registry keys the worm uses are altered the components belonging to the worm is deleted. These worms will also install an IRC script which can be used to gain control over the infected system.




"A" variant detected from 3 Sep 2002. Variants B-AG detected with def files released after 7 Nov 2002.

Last Updated: 12 Nov 2015 11:06:15