Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:I-Worm.Roron.50.a, W32/oror, W32.HLLW.Oror@m
Type:Worm 
Size:106,496 Bytes 
Origin: 
Date:00-00-0000 
Damage:Spreading by email and shared networks. 
VDF Version:6.23.00.00 
Danger:Medium 
Distribution:High 

DistributionThe worm is sent to all email addresses found in Inbox. The email contains:

Subject:
Zdrasti..
Ohoo!!
Pisamce
TinKi WinKy!!
HeY :)
HeY..
aBcDeFgHiJkLmNoPqRsT..
Miracle
Don't cry
Liubofta e kato Rai, no moje da boli kato Ad
ZzZz :)
Vajno!!
Blondinkii:)
Hi BaBy :)
Very Important
LOVE is like HEAVEN but it can hurt like HELL.
Blondies Forever :)
Hi!!
WoWoWoWOWowo..
yoOo ;)

Body:
Hey, kak
, ujas mi e toplo daji smqtam ei sq da si farlq edin dush che ne sa disha :) Skoro shti pratq onva det obeshtah, za sq mojesh da hvarlish edno oko na %s

Yoo, kak e havata, v momenta se 4ustvam mnoo qko i reshih da pisha na priqtelite :) nabarah edin mnoo zdrav site, %s - Cool a? Aide chakam otgovor :)

Neska mi se slu4iha kup neshta :) Oshte ot sutrinta adski mi varvi, shte vzema da pusna edin fish ~~P V takova dobro nastroenie sam 4e reshih da vi pisha. Pri teb kak e, Neshto novo ima li? Osven vsi4ko ti pratih i iznenadka, sled kato q instalirash si vij shti sa poqvi mnoo qka madama v Tray-a :) I naposledak poshtata mi stoi tajno prazna tai che ... :)) Doskoro

Zdrasti, trqq da proveda edin razgovor s dosta hora, ama shi vidim koga sha stane tova, naistina imam da kazvam mnogo neshta .. Ako imash i ti neshto da mi kazvash, ne se kolebai, a napishi edno pisamce. Vqrvai v me4tite si i gledai napred :))
P.S. Pogledni attachmenta i vij dali shti dopadne :)) Kefi li te? Az mnoo mu sa radvah ;)) Bye

Tiriritam tiriram :)) zDraVeI, neshto novo?? :) Kak varvi lqtoto? Plaj, basein, kuponi :) Beshe mi skuchno i si vikam shto da ne napisha nqkoi drugo pismo :> Kakvoto i da stava da jivee lqtoto i nie pokrai nego ~~~PpPpPp. Vij iznendkata ~pP Aide i chakam..

HeY.. Buddz what'z up :) How are you? I'm fine, 10x!! My friend Nina is here and we are.. You know :) Lalala !! I've just wanted to tell you. Btw check this site - %s, it's kewl :)) Cya

Hi, Don't forget about MAL"F" :) And don't tell anybody :Ppp have you seen this site? It's very interesting!! :) %s .. Leave this away, how are you? Send me sth cool, plzz :) bye! :)

All I need is a miracle, all i need is love.. YeS. That's true i love you my friends :) If you are wondering why I am so happy - i'll tell you - I am enga.. oOps, later..Bye and uhh unzip the attachment. It's the best joke, i've ever seen. Bye, see ya :)

It won't be easy, you think it's strange, when I try to explain how i feel and I still want your love after all I have done. You won't believe me.. I had to let it happen, i had to change.. Hey, just kiddin' :) Madonna - "Don't cry" I've just wanted to .. Infact I don't know nothing i don't want to know anything :))) Do you like the funny program :) I'm waiting for the reply :>> Bye

Zdr, izpratih na vsichki edna programka, mnoo qka, btw to imeto si pokazva. Subject-a e ot tam i ima i drugi mnogo qki misli. Moje da pokaje nai-podhodqshtiq partnior v liubofta :)) Ujasno e kak liubofta moje da ubie vsichko v teb.. Za shtastie ne vinagi e taka :) Bye !!

Zdrasti, kak q karash :) az sam dobre, makar che naposledak imam malko problemi. Tvarde mnogo mi se strupa navednaj, mai i rakata mi e s4upena.. Kvo da se pravi, takav e jivota.. Vchera namerih nqkav generator na kreditni karti i mai bachka, samo edin go probvah ama stana, vij dali pri teb sha raboti i umnata :) I ne zabravqi che "Liuboftaa e po cennaa ot vsi4ko" :)) Chao ti

Ima nov opasen virus v neta! Razprostranqva se predimno po IRC i ICQ. Vnimavai da ne se zarazish, zashtoto iztriva Mp3-ki, Filmi i Dokumenti. Izpratih ti patch, koqto shte te zashtiti ot zarazqvane. Iskah da napisha po-dulgo pismo, no nqmah vreme, sorka :( Naposledak imam adski mnogo rabota nalqvo nadqsno :)) Inache kak varvi? Aide doskoro i watch out :)))
Attachment: Panda Anti-Worm.exe

Namerih edna mnoo qka programka i neznam zashto, no mi napomni za teb :)
Kakvo pravi blondinka kato rodi bliznaci? - Chudi se koi e vtoriq tatko :)
Kakva e razlikata mejdu 10 ovce i 3 blondinki? Otgovor: 7
Kak mojesh da razsmeesh blondinka v petak? - Kato i razkajesh vic vav vtornik :)
Zdrasti! kak si :) Kefqt li ta vicovete? Shegichka de :) Pratih ti q. Razkazva ti qki vicove za blondinki na 5 minuti :) Posmqh se za baq vreme napred :))) Bye, doskoro, i po chesto v chata, chao :}

Hi baby, kak e :) ko si praikash? az si slusham muzichka - ATC i Mortal Kombat Soundtrack - Varhovni sa, napravo izbuhnah :))) Drapnah si gi ot neta s taq programka - ima 200 kubriliona klasacii :) Naposledak muzikata e edno ot malkoto mi udovolstviq
P.S. Obezatelno si drapni ATC - Why oh why.mp3 :))
Chao, doskoro!!

There is a very dangerous virus circulating in the net. It's called RoRo and it's using IRC to infect computers. This virus deletes movies, music and corrupt your windows installation. To prevent from infecting, install McAfee Anti-Script 2002. It's a 30-days demo..
So, how are you? Good, Bad? I'm oK. I wanted to write you a longer letter, but i didn't have enough time.. sorry. Bye

I've just found this program, and, I don't know why... but it reminded me of you. I read this there. There are cool ideas, especially about lOvE. i like it, but let's talk about you? Are you oK? Are you in love :))) I'm waiting for the replyyy :)) bye ~pPpP

Hiya :) I've just wannted to send you these jokes
- What do blondes wear behind their ears to attract men? Their ankles!!
- Why did god invent the female orgasm? So blondes know when to stop screwing!!
- What's the difference between a blonde and aeroplane? Not everyone's been in a aeroplane!
- What is a blond with hair black colored? Artificial intelligence!

Hi baby :)) Whatz Uppp :)) I'm feelin extra power cause i got high in the sky :) sMiLe :oP~pPPPpp Where are you? What are you doing? I send you a c00l flAsh :) See you soon :)) Bye Bye

Hi again.. You can't guess what i've found.. Finally i've found a working Credit Card generator!! I'm the richest man in the net :)) Don't tell or send it to anybody! How are you? What're you doing?
Bye..

oOo :)) What a nice day, what a nice time :) What a nice world :)) Do you have any ATC's mp3z? eXtreemly cool :) I've found them with this program, it's like Napster, but it's legal :))
P.S. Download ATC - Why oh why.mp3 !!! Bye ~~~~ppPpP ;)

Attachment:
Magic.exe
Love.exe
Zodiak.exe
mTV.exe
Faith.exe
Kama Sutra.exe
Fun.exe
Smile.exe
Pamela.exe
Candy.exe
Love Zodiak.exe
TNT!CC gEN.exe
Panda Anti-Worm.exe
Blondies.exe
mTV Charts.exe
Setup.exe
Love Zodiak.exe
Blondies.exe
Osama Your Mamma.exe
Sorry.exe
mTV Charts.exe
Love Zodiak.exe
[TNT]!CC geN.exe

The worm can copy itself in shared networks and mapped drives, using the following file names:
Kama Sutra.exe
GiRlZ FoReVeR (Wow).exe
Nikita v1.1 (Zip).exe
Pamela Anderson (Porno Installation).exe
Britney Spears Naked.exe
Teen Sex Cam.exe
Kurnikova Screensaver (6+).exe
CrEdIt CaRdZ gEn.exe
SeX.eXe
Faith.exe

The worm also spreads by mIRC.

Technical DetailsWhen activated, Worm/Roron.50 displays a false WinZip error message.
It copies itself as C:\%WinDIR%\Rundll16.exe and makes the autostart registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run LoadCurrentProfile Rundll16.exe powprof.dll,LoadCurrentUserProfile

The worm chooses a file name from C:\%system%\ directory and copies itself as one of the following:
C:\%SystemDIR%\.exe
C:\%SystemDIR%\.exe
C:\%SystemDIR%\.exe
For example, if the worm finds a file named C:\Windows\System\Netapi.exe, it may copy itself as C:\Windows\System\Netapi16.exe.
The worm chooses a subfolder from C:\%ProgramFiles%\ to copy itself in it, using the subfolder's name and "2k", "16" or "32" for the new name.
It registers the copy:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
For example: if the worm finds the subfolder C:\Program Files\Internet Explorer, it copies itself as C:\Program Files\Internet Explorer\Internet Explorer2k.exe, and registers:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Internet Explorer C:\Program Files\Internet explorer\Internet Explorer2K.exe

The worm may create the following files:
C:\%WinDIR%\Winfile.dll
C:\~msdos.---
C:\%WinDIR%\Def12x.dll
C:\%WinDIR%\Rn3a.vxd

It closes all windows, which contain the following strings in their names:
black
panda
shield
scan
mcafee
labs
zone
alarm
agent
avp
msie
navap
mstask
webcheck
iomon
nai_vs_stat
virus

The worm looks for directories and subfolders containing the strings below and deletes all the files in them:
labs and zone
kaspers
mcafee
panda
avp
pc
cillin
black and ice
norton and virus
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .