W32/Romario.A Worm

 Information about the W32/Romario.A Worm:

W32/Romario.A is a mass mailing worm. The worm will infect Windows systems and spreads through email, removable devices and open shares on a network.

Upon execution, the worm copies itself in the root of the disk drives as the following:

Mario.exe
explorer.exe
xplorer.exe

It also copies itself as the following:

Bola.exe in the Game folder
Crazy Mouse.exe in the Game folder
Dark Screen.exe in the Game folder
Goncang.exe in the Game folder
Kartu.exe in the Game folder
Kelap Kelip.exe in the Game folder
Layar Jatuh.exe in the Game folder
Legend.exe in the Game folder
Minesweeper.exe in the Game folder
My Heart.exe in the Game folder
Pink Panther.exe in the Game folder
Smart.exe in the Game folder
Start Hide.exe in the Game folder
Text Animation.exe in the Game folder
XP Button.exe in the Game folder

Bola Pantul.exe in the Documents and Settings\All Users\Documents folder
FreeCard.exe in the Documents and Settings\All Users\Documents folder
MyHearts.exe in the Documents and Settings\All Users\Documents folder

Alisa.exe in the Documents and Settings\User\Application Data folder
Emma.exe in the Documents and Settings\User\Application Data folder
Mario Bross.exe in the Documents and Settings\User\My Documents folder
Minesweeper.exe in the Documents and Settings\User\My Documents folder
Solitaire Card.exe in the Documents and Settings\User\My Documents folder

winlogon.exe in the Windows folder
xplorer.exe in the Windows folder
msvbvm60.dll.exe in the Windows\System folder
PANGKALP1NANG.EXE in the Windows\System folder
SMUNSA_PKP_GAME.EXE in the Windows\System folder

It modifies the registry at the following location to ensure its automatic execution at every Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

The worm also modifies the following registry entries to change the default start page of Microsoft Internet Explorer, Disable System Restore and tamper with safe mode boot:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore
HKEY_LOCAL_MACHINE\Software\SYSTEM\CurrentControlSet\Control\SafeBoot\Alternate Shell

The worm uses MAPI and is dependent on Outlook client being configured with a valid SMTP server address in order to spread. It does not have its own SMTP engine.

It sends a copy of itself by using subjects of existing emails in the inbox. Since the subject is from a previous mail, this technique is highly successful into tricking people that the mail is genuine.

The worm copies itself to removable drives by creating a folder "GAME" on the removable drive and copying itself to that folder using the following names:

Bola.exe
Crazy Mouse.exe
Dark Screen.exe
Goncang.exe
Kartu.exe
Kelap Kelip.exe
Layar Jatuh.exe
Legend.exe
Minesweeper.exe
My Heart.exe
Pink Panther.exe
Smart.exe
Start Hide.exe
Text Animation.exe
XP Button.exe

It also copies itself to open shares on a network.

This worm first appeared on August 01, 2007.

 Other names of W32/Romario.A Worm:

This Worm is also known as Virus.Win32.Romario, W32/Romario-A, W32.Romariory@mm.