This application requires Javascript for optimal performance.

W32/Bropia.D!worm.im - Released Feb 07, 2005 - Last Updated Sep 21, 2006

Alias/es

IM-Worm.Win32.Bropia.ah, W32.Bropia.C, W32/Bropia-C, W32/Bropia.B, W32/Bropia.C.worm, W32/Bropia.worm.d, Win32.Worm.Bropia.D, Win32/VB.NBI, Worm.Bropia.D, WORM_BROPIA.D

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • The file iexplore.exe  exists in the System folder.

  • In Windows 9x systems, the following blank files exist in the System folder:

    • cmd.exe
    • taskmgr.exe

  • One of the following files exist in the root folder of Drive C:

    • LOL.scr
    • Webcam.pif
    • hahahaha.pif
    • naked_drunk.pif
    • me_2005.pif
    • sister.pif

Detailed Analysis

  • This worm is written in Visual Basic.

  • Copies itself to the root folder of Drive C as any of the following:

    • LOL.scr
    • Webcam.pif
    • hahahaha.pif
    • naked_drunk.pif
    • me_2005.pif
    • sister.pif

  • Drops the file iexplore.exe  in the System folder. This file is detected as W32/SDBot.AKO!worm.


    MSN Messenger Propagation

  • Sends a copy of itself to all MSN Messenger contacts.


    Backdoor and/or Trojan Behavior

  • Causes the following behavior in Windows NT-based systems:

    • Disables the right-click function of the mouse.

    • Prevents the following Windows programs from running:

      • cmd.exe
      • taskmgr.exe

      Note: In Windows 9x systems, these files are created in the System folder, presumably a failed attempt to disable them.

Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

Reference: ID - 166967