Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:WORM/Roron.50.A
Date discovered:10/07/2003
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
VDF version:6.20.00.35 - Thursday, July 10, 2003
IVDF version:6.20.00.35 - Thursday, July 10, 2003

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: W32/Oror.gen@MM virus
   •  Kaspersky: Email-Worm.Win32.Roron.50.a
   •  F-Secure: Email-Worm.Win32.Roron.50.a
   •  Sophos: W32/Oror-M
   •  Bitdefender: Win32.Roron.A@mm
     AVG: Worm/Opanki.AJ
   •  Panda: W32/Oror.Q
   •  Grisoft: I-Worm/Roron
   •  Eset: Win32/Roron.50.B worm
     Fortinet: suspicious
     Norman: Oror.AG


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Drops malicious files
   • Registry modification

 Files The following files are created:

Non malicious files:
   • %SYSDIR%\Syscnav_.def
   • %SYSDIR%\vancRun.vxd
   • %WINDIR%\cnav98.sys
   • %SYSDIR%\Syscnav_.def
   • %WINDIR%\Faith.ini

– Temporary files that might be deleted afterwards:
   • %temp%/OAG3.tmp
   • %temp%/OAG4.tmp
   • %temp%/OAG5.tmp

%WINDIR%\Cmdcnav32.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.
%PROGRAM FILES%\Common Files\Common16.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.
%SYSDIR%\$winnt$.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.

 Registry To each registry key one of the values is added in order to run the processes after reboot:

  [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   • "run"="%SYSDIR%\$winnt$.exe"

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Common StartUp"="%PROGRAM FILES%\Common Files\Common16.exe"
   • "LoadSystem"="Cmdcnav32.exe powrprof.dll,LoadCurrentPwrScheme"



The following registry keys are added in order to load the services after reboot:

[HKLM\SOFTWARE\Classes\exefile\shell\open\command]
   • "(Default)"="Cmdcnav32.exe "%1" %*"

[HKCR\exefile\shell\open\command]
   • "(Default)"="Cmdcnav32.exe "%1" %*"

Description inserted by Wensin Lee on Tuesday, March 5, 2013
Description updated by Wensin Lee on Tuesday, March 5, 2013

Back . . . .