Worm:Win32/Roopirs.A is a worm that copies itself to mapped network drives and assumes the icon of a Windows folder to increase its chance of user execution.
When run, the worm drops a copy of itself as the following file name:
The registry is modified to run the worm copy at each Windows start.
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "winlogon.exe"
To data: "%windir%\winlogon.exe"
Mapped network drives
The worm attempts to copy itself to mapped network drives as the following:
The worm has the following file attributes that contribute to its detected name:
Analysis by Jaime Wong
The following system changes may indicate the presence of this malware:
The presence of the following files located on mapped network drives:
Alert notifications from installed antivirus software may be the only other symptoms.