Threat behavior
Worm:Win32/Rorpian.B is a worm that spreads via network shares and downloads additional malware onto the affected computer.
Installation
Upon execution, Worm:Win32/Rorpian.B copies itself to the %TEMP% folder using a file name in the format "srv<random number>.tmp", for example:
It also creates a text file in the %TEMP% folder with a name in the format "srv<random number>.ini", for example:
The worm then creates the following registry entries so its copy is executed at each Windows start:
In subkey: HKLM\system\currentcontrolset\services\srv<random number>\parameters
Sets value: "servicedll"
With data: "\\?\globalroot\device\harddiskvolume1\%TEMP%\srv<random number>.tmp"
In subkey: HKLM\software\microsoft\windows nt\currentversion\svchost
Sets value: "netsvcs"
With data: "srv<random number>"
In subkey: HKLM\system\currentcontrolset\services\srv<random number>
Sets value: "imagepath"
With data: "%systemroot%\system32\svchost.exe -k netsvcs"
In subkey: HKLM\system\currentcontrolset\control\safeboot\minimal\srv<random number>
Sets value: "default"
With data: "service"
Spreads via…
Network shares
Worm:Win32/Rorpian.B spreads by enumerating all network shares, copying itself to the share, along with a number of other files. It also creates an autorun.inf file that launches the worm executable when the share is accessed, as well as a shortcut (.LNK) file which exploits the vulnerability described in Microsoft Security Bulletin MS10-046.
The files it creates in discovered shares are listed below:
-
setup<random number>.fon (for example, "setup50045.fon") – copy of the worm
-
-
myporno.avi.lnk - shortcut to "setup<random number>.fon"
-
pornmovs.lnk - shortcut to "setup<random number>.fon"
-
Payload
Downloads and executes arbitrary files
Worm:Win32/Rorpian.B is capable of downloading and executing additional malware onto the compromised computer. It contacts a particular IP address and downloads files to the %Windows%\temp folder.
The worm may contact a number of URLs that follow a format as shown below:
At the time of writing, variants of this worm have been observed downloading Trojan:Win32/Alureon.DX onto the affected computer.
Analysis by Amir Fouda
Prevention