bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs: 
 ·Verizon Online DSL
| roimoi trojan?
Several complaints have surfaced about this. The suggestion in the Newsgroups was that this roimoi trojan was deliberately introduced, along with a list of others, to sell a specific tool to remove it for $$$?
Google Groups, "roimoi"
Very odd.
Seems that it is being distributed through the eDonkey/eMule network in popular video files. |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England | BOClean will remove it for me without the need for any further removal tool  |
|
tataye
join:2003-12-15 | reply to bcastner
Who in the hell will buy an antiroimoi tool LOL
--
beast father |
|
gkweb
join:2003-06-09
76800 | reply to bcastner
I wonder if teh author of this trojan is french, because it could mean "i'm a king", litterally "king me".
May be a coincidence |
|
Vampirefo
Premium,MVM
join:2000-12-11
Huntington, WV | reply to bcastner
Never heard of it, or perhaps it goes by another name. Sounds more like spyware than a Trojan from what I read again I haven't seen one so don't know for sure.
--
Spam Officially Legal |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
| reply to bcastner
roimoi (yes, vague French for I am King) pegs the users explorer.exe at nearly 99% CPU utilization.
It is not caught by AV scans, or SpyBot; and Hijack does not note anything interesting about it.
What is fascinating is that there is a strong suggestion in the newsgroups that the program was written by a single malware cleaner program to promote its products.
This could be completely unfair, but even the suggestion is an odd twist on things.
If not now, someday I suspect it will be true. |
|
Schouw
Premium
join:2003-05-29
Netherlands | I have/had a sample of it..
I've seen TOO much this week..
KL detects it.(Or it was rejected because it was simply a badly coded file, can't recall correctly..) |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs: | reply to bcastner
Just saw another query about it. Must be spreading.
cwshredder and SpyBot, PestPatrol, and online AV scans right now do not notice it. |
|
Vampirefo
Premium,MVM
join:2000-12-11
Huntington, WV | reply to bcastner
Can you send me a copy, I am 99% sure it's just spyware, but will analyze it if you send me a copy.
--
Spam Officially Legal |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
| reply to bcastner
Don't have one, but will try.
Google "roimoi" and read the first three or four responses.
Google, Groups, "roimoi" and see the newsgroup discussions. Fairly or unfairly the consensus in the Northern Eurpean groups is that this was a deliberatly created malware to sell a sole removal tool.
I tend not to believe conspiracy theories. But roimoi is certainly growing, and not "caught" by current freeware AV or spyware/adware tools. |
|
Schouw
Premium
join:2003-05-29
Netherlands
| reply to bcastner
I've taken a look at google.
Yes, this confirms the thoughts I had, I have the sample.
I had an argument about this with the analysts..
said by Sergey:
No, it is only buggy program.
Seems like it I will have to convince him. |
|
Vampirefo
Premium,MVM
join:2000-12-11
Huntington, WV
 ·Comcast
| reply to bcastner
I read them only to conclude that BOClean released this Trojan, that makes no sense to me. BOClean made up the name of the file sure, they probably got it from the registry entries.
I see no reason for BOClean to release a Trojan/Spyware so I think people are mistaken, this a more than likely a new spyware, nothing I read shows it to be anything but Spyware, explore high cpu due more than likely to ads be displayed or downloaded.
--
Spam Officially Legal |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs: | reply to bcastner
Vamepirefo,
I agree it is unfair to nasclean, BOClean. Any additional information you can throw out will hopefully be caught by Google, and by me.
Bill Castner |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs: | reply to bcastner
Schouw,
You go guy.
This guy has no freeware removal opportunities at the moment, and reallly screws up a workstation. |
|
Schouw
Premium
join:2003-05-29
Netherlands | reply to bcastner
From all cases I've seen where users couldn't access their 'windows explorer/my computer', it was all due to a dll.
Using HijackThis was simplest way out. |
|
Vampirefo
Premium,MVM
join:2000-12-11
Huntington, WV
1 edit | Schouw,
If you have a copy of this file send it to me I am sure I could make a remover for it.
--
Spam Officially Legal
|
|
Schouw
Premium
join:2003-05-29
Netherlands | reply to bcastner
Unfortunately I can't give out samples anymore... |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
| reply to bcastner
Curiouser and curiouser. This is what "seemed" to work for some:
Safe Mode:
. Use Hijack and look for odd .dlls being loaded in the 04 HKEY RUN sequence. It is polymorphic, but they are .DLLs, and usually consist of mainly numbers.DLL;
. Registry search for "roimoi" you should have one hit. Remove the key (likely, but not always, under an InProc32 subkey of a value);
. Search the registry for CLSID: {F9A06B36-C8C0-4644-9B5E-DBD82EB2E563} and delete the entry.
Reboot to normal mode.
This advice has worked, but this roimoi is odd, and the newsgroup reaction that it is a planted trojan decidedly very odd stuff. |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
| said by bcastner  :
and the newsgroup reaction that it is a planted trojan decidedly very odd stuff.
Probably posted by a would be competitor of NSClean to foment trouble.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
K McAleavey
Premium
join:2003-11-12
Voorheesville, NY
| reply to bcastner
screenshot of ROIMOI's code |
The SCOOP - "ROIMOI" is "spyware" from an organization known as ROINGS.COM, found in many "freeware" items such as eDonkey and others, and also installed by "drive-by" websites.
The name "ROIMOI" was given to this particular item by the anti-spyware exchange, and is detected by a number of products including Norton antivirus. It is an executable "handler" which updates the BHO's and other hijackers and all of these are randomly named entities. It can bring a machine to its knees.
Samples of the "roings.com" hijackers have been provided far and wide to all in the anti-malware business, and the origin of this absolute nonsense would have known about this if they covered ALL trojans and not just a handful.
Sorry folks, but aren't we ALL getting tired of one particular vendor whose sole function seems to be the bashing of everybody else?
--
Kevin McAleavey support@nsclean.comhttp://www.nsclean.com/ |
|
