Worm:Win32/Rorpian.E

Worm:Win32/Rorpian.E is a worm that spreads via network shares and by exploiting the Domain Name System (DNS) Server Service vulnerability.  It also downloads additional malware on the computer.

Installation

Upon execution, Worm:Win32/Rorpian.E copies itself to the %TEMP% folder using a file name in the format “srv<random number>.tmp”, where <random number> is a hex representation of the process ID (PID) of the worm's executable process. For example:

• %TEMP%\srv8E0.tmp

It also creates a text file in the %TEMP% folder using the format "srv<random number>.ini". For example:

• %TEMP%\srv8E0.ini

The worm then creates the following registry entry so that “svr<random number>.tmp” is installed on the system as a service using the name “srv<random number>”:

In subkey: HKLM\system\currentcontrolset\services\srv<random number>\parameters
Sets value: “servicedll”
With data: "\\?\globalroot\device\harddiskvolume1\%TEMP%\srv<random number>.tmp"

The worm creates the following entries so that the installed service is loaded by the Windows process “svchost.exe” at each Windows start.

In subkey: HKLM\software\microsoft\windows nt\currentversion\svchost
Sets value: "netsvcs"
With data: "srv<random number>"

In subkey: HKLM\system\currentcontrolset\services\srv<random number>
Sets value: "imagepath"
With data: "%systemroot%\system32\svchost.exe -k netsvcs"

Worm:Win32/Rorpian.E creates the following entry so that the installed service is loaded each time Windows is started in safe mode:

In subkey: HKLM\system\currentcontrolset\control\safeboot\minimal\srv<random number>
Sets value: “(default)”
With data: “service”

Spreads via...

Network shares

Worm:Win32/Rorpian.E spreads by enumerating all network shares; copying itself to the share, along with a number of other files. It also creates an autorun.inf file that launches the worm executable when the share is accessed, as well as a shortcut (.LNK) file which exploits the vulnerability described in Microsoft Security Bulletin MS10-046.

The files it creates in discovered shares are listed below:

• setup<affid>.fon (for example, “setup50018.fon”) – copy of the worm
• setup<affid>.lnk (for example, “setup50018.lnk”) – detected as Exploit:Win32/CplLnk.A
• myporno.avi.lnk  - shortcut to “setup<random number>.fon” - detected as Worm:Win32/Rorpian.E!lnk
• pornmovs.lnk - shortcut to “setup<random number>.fon” - detected as Worm:Win32/Rorpian.E!lnk
• autorun.inf – detected as Worm:Win32/Rorpian.E!inf

Note: <affid> is a unique number stored in the malware's executable file.

Via exploits

Worm:Win32/Rorpian.E is also capable of spreading by exploiting a vulnerability in the Domain Name System (DNS) Server Service. The worm does a network scan in order to search for exploitable computers, copying itself to the computer if it is vulnerable. More information about this vulnerability can be found here: Microsoft Security Bulletin MS07-029.

Payload

Downloads and Executes arbitrary files

Worm:Win32/Rorpian.E is capable of downloading and executing additional malware onto the compromised computer. It contacts a particular IP address and downloads files to the %Windows%\temp folder.

The worm may contact a number of URLs that follow a format shown below:

• hxxp://<domain>//dll
• hxxp://<domain>//srv
• hxxp://<domain>/service/listener.php?affid=<affid>
• hxxp://<domain>/service/scripts/files/aff_<affid>.dll
• hxxp://<domain>/log.php?data=<data>&version=13

At the time of writing, Worm:Win32/Rorpian.E was observed to download Trojan:Win32/Alureon.DX and Rogue:Win32/FakeRean onto the computer.

Analysis by Amir Fouda