Virus Database

I-Worm.Ronoper.a

Description I-Worm.Ronoper.a
Ronoper is a worm virus spreading via the Internet as an attachment to infected emails. The worm has a primitive backdoor routine and is able to download and install other trojan files.
The worm itself is a Windows PE EXE file about 16KB in length when compressed by UPX, the decompressed size is approx. 50KB; it is written in Delphi.
Infected messages have the following attributes:
Subject: Re: Body: I Hope you reply me. Thank you very much for reading my msg Bye. Attach: WinCfg32.exe
The worm is activated from infected emails only when a user clicks on the attached file. Once run the worm installs itself to the system and runs its spreading routine and backdoor.
Installing
During installation the worm copies itself to Windows directory under the name "WinCfg32.exe" and registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
WinCfg32 = %WinDir%WinCfg32.exe
Spreading Backdoor
The backdoor routine connects to a machine (located somewhere in Turkey) and listens for its "master's" instructions. Such instructions can include:

- reports system information
- reboots machine
- joins "ronop" IRC channel

Other
The 'Ronoper' worm downloads an EXE file from the http://www.kamerali.com site, stores it to TEMP directory under the name "security.exe" and executes it.
By doing this the worm is able to install trojan programs onto infected machines.

Check other viruses! Be aware! Use Antiviral Software

Andreew.805

Description Andreew.805

This is a dangerous memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of COM and EXE files that are accessed. Depending on the system time, it displays a message in Russian in August and later corrupts the boot sector of the C: disk.

Andrew

Description Andrew

It is a very dangerous memory resident boot virus. It hooks INT 13h and writes itself to the MBR of the hard drive and boot sectors of the floppy disks. While installing into the system memory, depending on the system timer the virus formats the disk sectors. Contains the bugs, and in some cases halts the system. The virus contains the internal text strings:
ANDREW
Fuck'em Off

Home

Viruses from A to Z
0-9 A B Ñ D E F G H I J
K L M N O P Q R S T
U V W X Y Z



Typehuse
Projex Arkitekter Ab
Gustafsson, Per-erik
ROLF LINDSTRÖM UNDERTAK AB
Persson, Nils Erik

    Copyright © 2005 Virus-Database.com
© 2005 Virus-Database.com