What is the Roma virus?

Source: Internet
Author: User
Tags kaspersky antivirus

Chinese name: Roma

Virus type: Trojan Horse

Threat Level: ★

Impact System: Win 9x/me,win 2000/nt,win Xp,win 2003

Virus behavior:

The virus will cause a large number of security software to fail to run, will download a large number of Trojan horse to the user's computer to steal user account information.

Attack action

1. Release the following virus files:

System Partition: Program Filesinternet Explorerromdrivers.dll

System Partition: Program Filesinternet Explorerromdrivers.bak

System Partition: Program Filesinternet EXPLORERROMDRIVERS.BKK

2. Create the following registry key to enable the virus file to start with the system startup (its CLSID is variable):

hkcrclsid{0cd68ac9-ff63-3e61-626b-b663e62f6236}

Hkcrclsid{0cd68ac9-ff63-3e61-626b-b663e62f6236}inprocserver32 (Default) "C:Program filesinternet Explorerromdrivers.dll "

hklmsoftwaremicrosoftwindowscurrentversionexplorershellexecutehooks{0cd68ac9-ff63-3e61-626b-b663e62f6236} ""

3. Try to remove the following registry entries to prevent other viruses from interfering:

HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{DE35052A-9E37-4827-A1EC-79BF400D27A4}

hklmsoftwaremicrosoftwindowscurrentversionexplorershellexecutehooks{aeb6717e-7e19-11d0-97ee-00c04fd91972}

HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{DD7D4640-4464-48C0-82FD-21338366D2D2}

HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}

HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}

HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{131AB311-16F1-F13B-1E43-11A24B51AFD1}

HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{274B93C2-A6DF-485F-8576-AB0653134A76}

HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{1496D5ED-7A09-46D0-8C92-B8E71A4304DF}

hklmsoftwaremicrosoftwindowscurrentversionexplorershellexecutehooks{0cb68ad9-ff66-3e63-636b-b693e62f6236}

hklmsoftwaremicrosoftwindowscurrentversionexplorershellexecutehooks{09b68ad9-ff66-3e63-636b-b693e62f6236}

HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{754FB7D8-B8FE-4810-B363-A788CD060F1F}

hklmsoftwaremicrosoftwindowscurrentversionexplorershellexecutehooks{a6011f8f-a7f8-49aa-9ada-49127d43138f}

hklmsoftwaremicrosoftwindowscurrentversionexplorershellexecutehooks{06a68ad9-ff56-6e73-937b-b893e72f6226}

5HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}

HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{06E6B6B6-BE3C-6E23-6C8E-B833E2CE63B8}

HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{BC0ACA58-6A6F-51DA-9EFE-9D20F4F621BA}

hklmsoftwaremicrosoftwindowscurrentversionexplorershellexecutehooks{aeb6717e-7e19-11d0-97ee-00c04fd91972}

hklmsoftwaremicrosoftwindowscurrentversionexplorershellexecutehooks{99f1d023-7ceb-4586-80f7-bb1a98db7602}

HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{FEB94F5A-69F3-4645-8C2B-9E71D270AF2E}

HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{923509F1-45CB-4EC0-BDE0-1DED35B8FD60}

hklmsoftwaremicrosoftwindowscurrentversionexplorershellexecutehooks{42a612a4-4334-4424-4234-42261a31a236}

4, by querying the following registry key values to obtain the relevant Security software installation directory, in the access to the installation directory under the system filename "Ws2_32.dll" named folder, so that the relevant security software failed to run.

Softwarerisingrav

Softwarekingsoftantivirus

Softwarejiangmin

Softwarekasperskylabinstalledproductskaspersky Anti-Virus Personal

Softwarekasperskylabsetupfolders

Softwarenetwork associatestvdshared Componentsframework

Softwareesetnodcurrentversioninfo

Softwaresymantecsharedusage

Softwaremicrosoftwindowscurrentversionapp Paths360safe.exe

5, will NOD32 of the library file nod32.000 renamed to Nod32.000.bak, so that NOD32 can not detect viruses.

6. Try to find and close the window named "Kaspersky Antivirus Personal" and the thread to which it belongs.

7, add the following registry key to record the current number of viruses on the user's computer and the version of each virus information, so as to upgrade the virus, the following: "Me" record the version of the virus, the number of virus to indicate the serial number, the value of the virus to record the version information.

Hkey_current_usersoftwaresetverver Me "1.32"

Hkey_current_usersoftwaresetverver 1 "2.96"

Hkey_current_usersoftwaresetverver 2 "2.98"

Hkey_current_usersoftwaresetverver 3 "2.992"

Hkey_current_usersoftwaresetverver 4 "2.93"

Hkey_current_usersoftwaresetverver 5 "2.93"

Hkey_current_usersoftwaresetverver 6 "2.96"

Hkey_current_usersoftwaresetverver 7 "2.96"

Hkey_current_usersoftwaresetverver 8 "2.93"

Hkey_current_usersoftwaresetverver 9 "2.99"

Hkey_current_usersoftwaresetverver 10 "1.98"

Hkey_current_usersoftwaresetverver 11 "1.991"

Hkey_current_usersoftwaresetverver 12 "1.891"

Hkey_current_usersoftwaresetverver 13 "1.91"

Hkey_current_usersoftwaresetverver 14 "1.0"

8, create a message hook, the virus file Romdrivers.dll into the explorer process, and then through the Explorer to connect the network to update the virus, download a large number of stolen Trojan to the user's computer to steal user-related accounts.

9, ARP spoofing, resulting in LAN network congestion and lead to internet access.

10, delete the Hosts file to remove the user to some Web site shielding.

11, download the Trojan running will release the following files to the Temp directory:

Fyso.exe, Jtso.exe, Mhso.exe, Qjso.exe, Qqso.exe, Wgso.exe, Wlso.exe, Wmso.exe, Woso.exe, Ztso.exe, Daso.exe, Tlso.exe, rx So.exe

Fyso0.dll, Jtso0.dll, Mhso0.dll, Qjso0.dll, Qqso0.dll, Wgso0.dll, Wlso0.dll, Wmso0.dll, Woso0.dll, Ztso0.dll, Daso0.dll, Tlso0.dll, Rxs0.dll, etc.

12, download the Trojan running after the creation of the following registry key: The virus exe file filename "o" changed to "a" as a registry startup key name, such as:

Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun Fysa "C:docume~1admini~1locals~1tempfyso.exe"

Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun wosa "C:docume~1admini~1locals~1tempwoso.exe"

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.