Worm:Win32/Rorpian

Worm:Win32/Rorpian are a family of worms capable of spreading through network shares and by exploiting vulnerabilities such as the Domain Name System (DNS) Server Service vulnerability. The worm usually downloads additional malware on the affected computer.

Installation

Upon execution, Worm:Win32/Rorpian copies itself to the %TEMP% folder using a file name in the format “srv<random number>.tmp”. For example:

It also creates a text file in the %TEMP% folder with the same name as its dropped copy, but with a “.ini” extension. For example:

The worm then creates the following registry entries to ensure its copy executes at each Windows start:

In subkey: HKLM\system\currentcontrolset\services\srv\parameters
Sets value: "servicedll"
With data: "\\?\globalroot\device\harddiskvolume1\%TEMP%\srv<random number>.tmp"

In subkey: HKLM\software\microsoft\windows nt\currentversion\svchost
Sets value: "netsvcs"
With data: "srv<random number>"

In subkey: HKLM\system\currentcontrolset\services\srv<random number>
Sets value: "imagepath"
With data: "%systemroot%\system32\svchost.exe -k netsvcs"

In subkey: HKLM\system\currentcontrolset\control\safeboot\minimal\srv<random number>
Sets value: “(default)”
With data: “service”

Spreads via...

Network shares

Worm:Win32/Rorpian spreads by enumerating all network shares, copying itself to the share, along with a number of other files. It also creates an autorun.inf file that launches the worm executable when the share is accessed, as well as a shortcut (.LNK) file which exploits the vulnerability described in Microsoft Security Bulletin MS10-046.

The files it creates in discovered shares are listed below:

• setup<random number>.fon (for example, "setup50045.fon") – copy of the worm
• setup<random number>.lnk (for example, "setup50045.lnk") – detected as Exploit:Win32/CplLnk.A
• myporno.avi.lnk - shortcut to "setup.fon" detected as Worm:Win32/Rorpian.E!lnk
• pornmovs.lnk - shortcut to "setup.fon" detected as Worm:Win32/Rorpian.E!lnk
• autorun.inf – detected as Worm:Win32/Rorpian.E!inf

Via exploits

Some variants of Worm:Win32/Rorpian have the capability of spreading by exploiting a vulnerability in the Domain Name System (DNS) Server Service. The worm does a network scan in order to search for exploitable computers, copying itself to the computer if it is vulnerable. More information about this vulnerability can be found here: Microsoft Security Bulletin MS07-029

Payload

Downloads and executes arbitrary files

Worm:Win32/Rorpian is also capable of downloading and executing additional malware on the compromised computer. It contacts a particular I.P. address and downloads files to the %Windows%\temp folder using file names such as “e.tmp”, “f.tmp”, and “10.tmp”. It may contact a number of URLs that have the format shown below:

• hxxp://<domain>//srv
• hxxp://<domain>/service/listerner.php?affid=<number>
• hxxp://<domain>//dll
• hxxp://<domain>/service/scripts/files/aff_<number>.dll
• hxxp://<domain>/soft/installer_m_<number>.exe

At the time of writing, variants of this worm have been observed downloading Win32/Alureon onto the affected computer. Later variants have also been observed downloading and installing Rogue:Win32/FakeRean.

Analysis by Amir Fouda