Chinese name: Roma
Virus type: Trojan Horse
Threat Level: ★
Impact System: Win 9x/me,win 2000/nt,win Xp,win 2003
Virus behavior:
The virus will cause a large number of security software to fail to run, will download a large number of Trojan horse to the user's computer to steal user account information.
Attack action
1. Release the following virus files:
System Partition: Program Filesinternet Explorerromdrivers.dll
System Partition: Program Filesinternet Explorerromdrivers.bak
System Partition: Program Filesinternet EXPLORERROMDRIVERS.BKK
2. Create the following registry key to enable the virus file to start with the system startup (its CLSID is variable):
hkcrclsid{0cd68ac9-ff63-3e61-626b-b663e62f6236}
Hkcrclsid{0cd68ac9-ff63-3e61-626b-b663e62f6236}inprocserver32 (Default) "C:Program filesinternet Explorerromdrivers.dll "
hklmsoftwaremicrosoftwindowscurrentversionexplorershellexecutehooks{0cd68ac9-ff63-3e61-626b-b663e62f6236} ""
3. Try to remove the following registry entries to prevent other viruses from interfering:
HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{DE35052A-9E37-4827-A1EC-79BF400D27A4}
hklmsoftwaremicrosoftwindowscurrentversionexplorershellexecutehooks{aeb6717e-7e19-11d0-97ee-00c04fd91972}
HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{DD7D4640-4464-48C0-82FD-21338366D2D2}
HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}
HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}
HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{131AB311-16F1-F13B-1E43-11A24B51AFD1}
HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{274B93C2-A6DF-485F-8576-AB0653134A76}
HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{1496D5ED-7A09-46D0-8C92-B8E71A4304DF}
hklmsoftwaremicrosoftwindowscurrentversionexplorershellexecutehooks{0cb68ad9-ff66-3e63-636b-b693e62f6236}
hklmsoftwaremicrosoftwindowscurrentversionexplorershellexecutehooks{09b68ad9-ff66-3e63-636b-b693e62f6236}
HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{754FB7D8-B8FE-4810-B363-A788CD060F1F}
hklmsoftwaremicrosoftwindowscurrentversionexplorershellexecutehooks{a6011f8f-a7f8-49aa-9ada-49127d43138f}
hklmsoftwaremicrosoftwindowscurrentversionexplorershellexecutehooks{06a68ad9-ff56-6e73-937b-b893e72f6226}
5HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}
HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{06E6B6B6-BE3C-6E23-6C8E-B833E2CE63B8}
HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{BC0ACA58-6A6F-51DA-9EFE-9D20F4F621BA}
hklmsoftwaremicrosoftwindowscurrentversionexplorershellexecutehooks{aeb6717e-7e19-11d0-97ee-00c04fd91972}
hklmsoftwaremicrosoftwindowscurrentversionexplorershellexecutehooks{99f1d023-7ceb-4586-80f7-bb1a98db7602}
HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{FEB94F5A-69F3-4645-8C2B-9E71D270AF2E}
HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERSHELLEXECUTEHOOKS{923509F1-45CB-4EC0-BDE0-1DED35B8FD60}
hklmsoftwaremicrosoftwindowscurrentversionexplorershellexecutehooks{42a612a4-4334-4424-4234-42261a31a236}
4, by querying the following registry key values to obtain the relevant Security software installation directory, in the access to the installation directory under the system filename "Ws2_32.dll" named folder, so that the relevant security software failed to run.
Softwarerisingrav
Softwarekingsoftantivirus
Softwarejiangmin
Softwarekasperskylabinstalledproductskaspersky Anti-Virus Personal
Softwarekasperskylabsetupfolders
Softwarenetwork associatestvdshared Componentsframework
Softwareesetnodcurrentversioninfo
Softwaresymantecsharedusage
Softwaremicrosoftwindowscurrentversionapp Paths360safe.exe
5, will NOD32 of the library file nod32.000 renamed to Nod32.000.bak, so that NOD32 can not detect viruses.
6. Try to find and close the window named "Kaspersky Antivirus Personal" and the thread to which it belongs.
7, add the following registry key to record the current number of viruses on the user's computer and the version of each virus information, so as to upgrade the virus, the following: "Me" record the version of the virus, the number of virus to indicate the serial number, the value of the virus to record the version information.
Hkey_current_usersoftwaresetverver Me "1.32"
Hkey_current_usersoftwaresetverver 1 "2.96"
Hkey_current_usersoftwaresetverver 2 "2.98"
Hkey_current_usersoftwaresetverver 3 "2.992"
Hkey_current_usersoftwaresetverver 4 "2.93"
Hkey_current_usersoftwaresetverver 5 "2.93"
Hkey_current_usersoftwaresetverver 6 "2.96"
Hkey_current_usersoftwaresetverver 7 "2.96"
Hkey_current_usersoftwaresetverver 8 "2.93"
Hkey_current_usersoftwaresetverver 9 "2.99"
Hkey_current_usersoftwaresetverver 10 "1.98"
Hkey_current_usersoftwaresetverver 11 "1.991"
Hkey_current_usersoftwaresetverver 12 "1.891"
Hkey_current_usersoftwaresetverver 13 "1.91"
Hkey_current_usersoftwaresetverver 14 "1.0"
8, create a message hook, the virus file Romdrivers.dll into the explorer process, and then through the Explorer to connect the network to update the virus, download a large number of stolen Trojan to the user's computer to steal user-related accounts.
9, ARP spoofing, resulting in LAN network congestion and lead to internet access.
10, delete the Hosts file to remove the user to some Web site shielding.
11, download the Trojan running will release the following files to the Temp directory:
Fyso.exe, Jtso.exe, Mhso.exe, Qjso.exe, Qqso.exe, Wgso.exe, Wlso.exe, Wmso.exe, Woso.exe, Ztso.exe, Daso.exe, Tlso.exe, rx So.exe
Fyso0.dll, Jtso0.dll, Mhso0.dll, Qjso0.dll, Qqso0.dll, Wgso0.dll, Wlso0.dll, Wmso0.dll, Woso0.dll, Ztso0.dll, Daso0.dll, Tlso0.dll, Rxs0.dll, etc.
12, download the Trojan running after the creation of the following registry key: The virus exe file filename "o" changed to "a" as a registry startup key name, such as:
Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun Fysa "C:docume~1admini~1locals~1tempfyso.exe"
Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun wosa "C:docume~1admini~1locals~1tempwoso.exe"