W32/Bropia.F!worm.im

Alias/esW32/Agobot.AJC-tr, W32/BROPIA.F!worm, W32/Bropia.F-net, W32/BROPIA.F-wm, WORM_BROPIA.F [Trend]
Release DateFeb 02, 2005
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.338
Description

Visible Symptoms

  • Possible firewall alert that the file "winhost.exe" is attempting to connect to the Internet

  • Attempts to use CMD.EXE are blocked on infected systems, and an error is displayed with this text -

    cmd
    (X) Another program is currently using this file.
    [OK]

  • The mouse right-click is disabled

  • Creation of these files -

    C:\LOL.scr
    C:\Winnt\System32\winhost.exe <= has hidden/system/read-only attributes

  • After opening an attachment from MS Messenger, a graphic file named "sexy.jpg" is shown depicting a glazed and cooked chicken with "bikini tan lines"

Detailed Analysis

This Internet worm tries to send itself to other MSN Messenger contacts by possibly one of these file names -

Webcam.pif
naked_drunk.pif

This threat will also install an IRC bot as the file "winhost.exe". This bot is identified with current AV db update as "W32/Rbot.AJC-net".


Loading at Windows Startup
After running this virus on a system, it will copy itself to the root of the boot drive as "LOL.scr". Next it will install "Rbot.AJC" to the System32 folder and register it to run at each Windows startup -

HKEY_CURRENT_USER\Software\Microsoft\OLE
"win32" = winhost.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"win32" = winhost.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"win32" = winhost.exe

Rbot.AJC is packed with a file size of 124,416 bytes.


IRC Connection
"Rbot.AJC" will attempt to connect with a hard-coded IRC server and then await instructions from a malicious user.


Utility Blocking
This threat will monitor attempts to access two debugging utilities, CMD and Task Manager. The virus will prevent the infected system from running CMD.exe and TASKMGR.exe. It is possible to copy CMD.EXE as "Copy of CMD.exe" and then run the copy. The same can be applied to Task Manager to allow use of this utility.
Description Last Updated Date: Feb 06, 2005
Reference: ID - 166962