You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Download Cloud Antivirus Gratisdiv>

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Rona.A

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Rona.A carries out the following actions:

  • It logs the following information in a file:
    - Version of the Trojan: Ver: *** [0.92 AUG] ***Aug 16 2004 13:20:47
    - Active processes.
    - Internet connection availability.
    - Update attempts via FTP.
    - Document searches.
    - Miscellaneous information about its actions.
    - Date and time.
  • It checks for an Internet connection by sending echo ping requests to the website ftp.microsoft.com.
  • If it receives a reply, it connects to ftp.targetdata.biz using a certain username and password in order to:
    - Update itself.
    - Receive a new configuration file.
    - Receive remote control commands. One of the possible commands is to delete itself, which it does by using a script called suicide.bat.
    - Upload documents it has previously searched on the affected computer.
    - Send information of the web pages accessed by the user.
    - Send the keystrokes it has logged.
    - Send a clip of user activities.
  • It obtains the information for the defaul mail account, and may use it in order to send email messages.
  • It takes screenshots, including data such as time zone, date and time, etc. in the upper left corner:

  • It attempts to disable the firewall of a certain security suite, by tampering with the Windows Registry.
  • It attempts to access files belonging to synchronization of PALM PDAs and the instant messaging program ICQ.
  • It logs the web addresses the user accesses, using the following format:

    WWW: URL=about:Home Visited = 31.10.02 03:59
    WWW: URL=http://www.google.com Visited= 10.05.05 07:10
    WWW: URL=about:Home Visited = 31.10.02 03:59

Infection strategy 

Rona.A creates the following files:

  • SVCHOST.EXE, in the Windows system directory and in the Startup directory. This file is a copy of the Trojan.
    Please note that the first character of the file name is a blank espace.
    By creating a copy of itself in the Startup directory, Rona.A ensures that it is run whenever Windows is started.
  • MMSYSTEM.DLX in the Windows system directory. This file logs information about the computer and the activities carried out by the Trojan.
  • Files whose name follow the pattern: OLECLISYSTEMUPDATE_dd.mm.yyyy hh.mm.ss.DLX, in the Windows system directory. These files are screenshots that the Trojan takes.
    dd.mm.yyyy is the date and hh.mm.ss is the time when the screenshot was taken.
  • WINDOWS.MPG, in the same directory where the Trojan was run. This file stores information about the searches it carries out. It has the following format:

    'Query: *.doc in all drives (C-Z) for the last 1 days
    'Ver: *** [0.92 AUG] ***Aug 16 2004 13:20:47 Creation time: 01.56.05 02:56:28. 1 files were found. Max files = 25000
    [ ] c:\WINDOWS\system32\NDA rona.doc
    'File 1 (of total 1) Date: 01.06.05 Length = 2424795
  • CHJO.DRV in the Windows system directory. This file is an installation log of the Trojan:

    Can Install 1
    Can Recieve 0
    Can Send 0
    Can write to registry 1
    Current Version (null)
    Cycle 1
    Files Sent 0 Last FTP update 31.12.1969 16:00 Last Offline 01.06.2005 02:56 Last
    Online 31.12.1969 16:00
    Last query 31.12.1969 16:00 Last settings update 01.06.2005 02:56
    Logs sent 0 Screens sent 0 Start Time 01.06.2005 02:53
    Work path C:\WINDOWS\System32

  • CFXP.DRV in the Windows system directory. This files is a log of the web pages accessed by the user:
  • ACTIVITY.AVI, MMSYSTEM.DLX, PF30TXT.DLX, SDFSFD.3FS, SYSTEM.LST, TMP.EXE, UPGRADE.AVI and WINDLL.DLX. These are temporary files.
  • NDA RONA.DOC.

Rona.A modifies the file WIN.INI. It adds a section called [WindowsSys32], and several lines that store configuration data.

Rona.A creates the following entry in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    regedit = %sysdir%\ svchost.exe ccRegVfy

    where %sysdir% is the Windows system directory.
    By creating this entry, Rona.A ensures that it is run whenever Windows is started.

Means of transmission 

Rona.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

Rona.A is written in the programming language Visual C++. This Trojan is 492,934 bytes in size.

>

>