Worm:Win32/Rorpian.E is a worm that spreads via network shares and by exploiting the Domain Name System (DNS) Server Service vulnerability. It also downloads additional malware on the computer.
Installation
Upon execution, Worm:Win32/Rorpian.E copies itself to the %TEMP% folder using a file name in the format “srv<random number>.tmp”, where <random number> is a hex representation of the process ID (PID) of the worm's executable process. For example:
It also creates a text file in the %TEMP% folder using the format "srv<random number>.ini". For example:
The worm then creates the following registry entry so that “svr<random number>.tmp” is installed on the system as a service using the name “srv<random number>”:
In subkey: HKLM\system\currentcontrolset\services\srv<random number>\parameters
Sets value: “servicedll”
With data: "\\?\globalroot\device\harddiskvolume1\%TEMP%\srv<random number>.tmp"
The worm creates the following entries so that the installed service is loaded by the Windows process “svchost.exe” at each Windows start.
In subkey: HKLM\software\microsoft\windows nt\currentversion\svchost
Sets value: "netsvcs"
With data: "srv<random number>"
In subkey: HKLM\system\currentcontrolset\services\srv<random number>
Sets value: "imagepath"
With data: "%systemroot%\system32\svchost.exe -k netsvcs"
Worm:Win32/Rorpian.E creates the following entry so that the installed service is loaded each time Windows is started in safe mode:
In subkey: HKLM\system\currentcontrolset\control\safeboot\minimal\srv<random number>
Sets value: “(default)”
With data: “service”
Spreads via...
Network shares
Worm:Win32/Rorpian.E spreads by enumerating all network shares; copying itself to the share, along with a number of other files. It also creates an autorun.inf file that launches the worm executable when the share is accessed, as well as a shortcut (.LNK) file which exploits the vulnerability described in Microsoft Security Bulletin MS10-046.
The files it creates in discovered shares are listed below:
Note: <affid> is a unique number stored in the malware's executable file.
Via exploits
Worm:Win32/Rorpian.E is also capable of spreading by exploiting a vulnerability in the Domain Name System (DNS) Server Service. The worm does a network scan in order to search for exploitable computers, copying itself to the computer if it is vulnerable. More information about this vulnerability can be found here: Microsoft Security Bulletin MS07-029.
Payload
Downloads and Executes arbitrary files
Worm:Win32/Rorpian.E is capable of downloading and executing additional malware onto the compromised computer. It contacts a particular IP address and downloads files to the %Windows%\temp folder.
The worm may contact a number of URLs that follow a format shown below:
-
hxxp://<domain>//dll
-
hxxp://<domain>//srv
-
hxxp://<domain>/service/listener.php?affid=<affid>
-
hxxp://<domain>/service/scripts/files/aff_<affid>.dll
-
hxxp://<domain>/log.php?data=<data>&version=13
At the time of writing, Worm:Win32/Rorpian.E was observed to download Trojan:Win32/Alureon.DX and Rogue:Win32/FakeRean onto the computer.
Analysis by Amir Fouda