
F - R O R O N
--------------

DISCLAIMER

F-SECURE CORPORATION AND ITS PARTNERS ARE NOT RESPONSIBLE FOR ANY 
DAMAGES RESULTED FROM THE USAGE OF THIS DISINFECTION UTILITY.

YOU ARE USING THIS UTILITY ON YOUR OWN RISK.

IT IS STRONGLY RECOMMENDED TO BACKUP ALL YOUR IMPORTANT DATA 
BEFORE USING THIS DISINFECTION UTILITY.

Roron worm is known to be able to delete all files from all hard 
disk of an infected system in case it is being disinfected and 
also when its internal counters reach certain values. The F-Roron 
tool makes every effort to avoid payload activation by killing 
all worm's active tasks prior to disinfection. However there can 
be situations when the attempt to clean Roron worm might result 
in payload activation. Such cases, however, are very rare. 
Nevertheless it is recommended to backup all your data before 
disinfection.

--------------

The F-Roron utility disinfects computers infected with Roron 
(also known as Roro and Oror) worm. The following versions of 
Roron worm are cleaned:

I-Worm.Roron.4999.d
I-Worm.Roron.497
W32/Roro.P@mm (I-Worm.Roron.41)
W32/Roro.AC@mm (I-Worm.Roron.4996)
W32/Roro.Q@mm (I-Worm.Roron.4997)
W32/Roro.Z@mm (I-Worm.Roron.4999.b)
W32/Roro.X@mm (I-Worm.Roron.50)
W32/Roro.AA@mm (I-Worm.Roron.51)
W32/Roro.W@mm (I-Worm.Roron.53)
W32/Roro.U@mm (I-Worm.Roron.50)
W32/Roro.V@mm (I-Worm.Roron.4999.c)
W32/Roro.AJ@mm (I-Worm.Roron.55.f)
I-Worm.Roron.55.b
W32/Roro.AH@mm (I-Worm.Roron.55.a)

Disinfection procedure should be as follows:

1. Unpack the F-Roron utility from the provided ZIP archive 
either with WinZip or PkUnzip utilities. A trial version of 
WinZip archiver can be downloaded from the following website:

http://www.winzip.com/ddchomea.htm
                                   
2. Run the unpacked F-Roron.exe file from a hard disk to 
eliminate Roron worm infection. You can run the utility by either 
doubleclicking on it from Windows Explorer or you can start it 
from a command interpreter (COMMAND.COM or CMD.EXE) by typing its 
name at command prompt and pressing 'Enter' (for advanced users).

First the F-Roron utility will remove all network shares. Then it 
will kill Roron worm's processes in memory. After that the 
utility will scan your hard drive for infected files and delete 
them. Then the Roron utility will restore vital Registry keys 
changed by the worm. Finally all network shares will be restored.

3. Reboot a system. After restart your system should be clean.

If you have F-Secure Anti-Virus installed, the utility will 
temporarily disable on-access scanner to be able to disinfect 
your system. After the utility completes disinfection, it enables 
on-access scanner.

You can get a trial version of F-Secure Anti-Virus and the latest 
updates for it from our website:

http://www.europe.f-secure.com/download-purchase/
http://www.europe.f-secure.com/download-purchase/updates.shtml


IMPORTANT NOTES
---------------

If during disinfection you get the following messagebox:

 Workstation is infected!
 Roron can not be removed!

this means that there might be an unknown version of Roron worm 
or another malicious program in your computer that the tool can 
not clean. In this case please DO NOT RUN THE TOOL AGAIN - 
contact our Anti-Virus Research Team (address is below). If you 
use the tool again, there's a certain risk of Roron's payload 
activation which will result in deletion of all files on all hard 
disks.

The F-Roron tool creates a log file called F-Roron.log in Windows 
folder. The log is appended every time the tool is used. If you 
have problems with the tool, please send its log file to our 
Anti-Virus Research Team.

The F-Roron can be run in silent mode. In this mode it will not 
ask confirmation to run and will not show any messageboxes. You 
can enable this mode by running the tool with /SILENT command 
line option.

If a computer with Windows NT, 2000 or XP system is being 
disinfected, please log in as Administrator or as a user with 
local admin rights, otherwise the F-Roron utility might not 
disinfect the system correctly.

If Roron infection is in a network environment, then the network 
should be temporarily taken down before all workstations and 
servers are disinfected. A single infected workstation can 
re-infect already cleaned computers.

If you have Windows ME or XP, it is recommended to disable System 
Restore feature of these operating systems to prevent your 
computer from re-infection with Roron worm. The fact is that 
System Restore feature of these operating systems might save the 
infected file into the special folder and copy it back to a hard 
drive it every time it's been deleted by F-Roron utility. The 
instructions on how to disable System Restore feature are here:

Windows ME:
http://www.europe.f-secure.com/v-descs/sfc_dis.shtml

Windows XP:
http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml

If you have any problems using this utility please contact our
Anti-Virus Research Team on 'samples@f-secure.com' address.


