Network worm "Roron"--red alert.

Position:Virus Notes

Kaspersky Labs, reports the appearance of a new network worm named "Roron", constructed in Bulgaria. Presently six variations of the worm have already been detected and have been credited with infecting computers in many regions including the U.S.A., Russia and a slew of European countries.

Destructive functions and features include a built-in back-door intended for unsanctioned remote control of victim computers and the ability to spread via many communication channels--all of which places this worm in an especially high danger category.

`Roron' spreads using several data transfer channels: via email as an attached file, via local area networks and the KaZaA file-sharing network. Systems become infected only if a user manually launches (opens) the file containing the worm that was received via one of the aforementioned sources. When penetrating a computer, "Roron,'" creates a copy of itself in the Windows system directory and Program Files and then registers one of these files in the system registry's auto-run key. In this way the worm ensures its activation the each time the system is booted. Sometimes, when infecting, the worm displays a false warning:

WinZip Self-Extractor License Confirmation

Your version of WinZip Self-Extractor is not licensed or the license information is missing or corrupted Please contact the program vendor or the web site ( for additional information.

After the infection routine routines:is complete, `Roron' activates its spreading

* To spread via e-mail it clandestinely creates a message that may have different subjects, texts and attached file names. Then it sends this message to the recipients whose adresses it found in the InBox folder of the infected...

To continue reading

Request your trial