Aliases: W32/Korron.Worm, Worm.Ronkor
Variants: W32.Korron.B

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 24 Jan 2008
Damage: Medium

Characteristics: The worm W32.Korron.A spreads through removable drives and lowers security settings. It infects Windows systems. This worm can consume system memory. It also decreases network bandwidth and can cause a computer to crash.

More details about W32.Korron.A

The worm W32.Korron.A arrives as a dropped file from a network or a removable drive. When executed, the worm copies itself as r0nk0r.exe, Setup.exe, and msvbvm60.dll in the Windows folder. It also copies itself as shell.exe, MrHello.scr, IExplorer.exe in the System folder. It creates new entries in the registry and modifies it to make sure that it runs during each start up. The worm copies desktop.ini and Data Administrator.exe in the removable drives. The worm also ends processes that contain any of the strings that follow: AN'SAV, ANSAV, ANTI, ASM, AVS, BUG, DBG, DETEC, HEX, NOD32, OPTIONS, PCMAV, PROC, REG, S M A D A V, SCAN, SCANNER, SECURITY, SMADAV, TASK, VIRUS, W32, and WALK. A text file may also be opened by the worm containing the message: “Maaf Apa yang kulakukan tak dapat kumaafkan Benar…”

The W32.Korron.A program is allegedly capable of changing the Web browser settings. Once it modifies the Web browser’s homepage, the user may have difficulty of manually modifying the homepage again. The W32.Korron.A program is also reported to change the Web browser settings. It may set the browser to reroute searches to other search engines or websites. It may reroute URL errors as well. The usual victim of this Trojan and other similar malware is the Microsoft Internet Explorer. But other Web browsers like Mozilla Firefox and Opera are susceptible to its attacks as well.