Alias/esIM-Worm.Win32.VB.a [KAV], W32/Bropia.A-tr, W32/Bropia.B-net, W32/Bropia.worm.b [McAfee] | ||||||||||||
Detection Availability
| ||||||||||||
Visible Symptoms
| ||||||||||||
Detailed AnalysisThis is a slow-spreading Internet worm for MSN Messenger and Windows environments. The virus was coded using Visual Basic 6 and spreads to other contacts listed in the contact list of MSN Messenger. The virus also carries an embedded copy of an RBot variant. The variant is identified with current AV db update as "W32/RBot.TX-net".If the virus is received and run it will copy itself to the root of the C drive. It will then extract a copy of an IRC backdoor to the System32 folder as "lexplore.exe". MSN Messenger API Hook The virus is coded in Visual Basic 6, and uses imports from an MSN Messenger API in order to manipulate the application and send a copy of the virus to others. The virus also only focuses on installations of MSN Messenger which are stored in this path - C:\Program Files\Messenger\msmsgs.exe Failing to find MSN Messenger in this location, the virus is not likely to spread further. The virus uses the import "OMsn_OnContactStatusChange" as a trigger point - this trigger points the virus code to the instruction set to send a copy of the virus to other contacts listed in MSN Messenger. When a contact changes status, the virus targets that contact and sends a copy of the virus as one of these file names in an "instant message" - Drunk_lol.pif Webcam_004.pif sexy_bedroom.pif naked_party.pif love_me.pif Loading at Windows startup The IRC backdoor component is registered to run at each Windows startup - HKEY_CURRENT_USER\Software\Microsoft\OLE "lexplore" = lexplore.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices | ||||||||||||
Recommended Action
|
