This application requires Javascript for optimal performance.

W32/Bropia.P!worm.im - Released Feb 25, 2005 - Last Updated Apr 11, 2006

Alias/es

IM-Worm.Win32.Bropia.j [KAV], IM-Worm.Win32.VB.e, W32.Bropia.J, W32/Bropia.J-net, W32/Bropia.P-net, W32/Toni.A, WORM_BROPIA.S [Trend]

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • The following files exist in the root folder of Drive C: LOL.scr, Webcam.pif, bedroom-thongs.pif, naked_drunk.pif, ROFL.pif, underware.pif, Hot.pif and new_webcam.pif.
  • The file msnus.exe exists in the System folder.
  • An image of a fried chicken is shown.
  • Audio levels are set to 0.

Detailed Analysis

  • Sample is written in Visual Basic.

  • Copies itself to the System folder as msnus.exe.

  • Creates several copies of itself to the root folder of Drive C. The copies have the following filenames:

    • LOL.scr
    • Webcam.pif
    • bedroom-thongs.pif
    • naked_drunk.pif
    • ROFL.pif
    • underware.pif
    • Hot.pif
    • new_webcam.pif

  • May drop the file cz.exe to the root folder of Drive C. When dropped, it is copied to the System folder as winhost.exe, and then executed. This file is detected as W32/Rbot.hg-bdr.

  • Drops the file sexy.jpg and opens it in a browser window, showing an image of a fried chicken.

  • Attempts to send itself via MSN messenger, and may monitor changes to the contact list.

  • Sets audio levels to 0.

Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

Reference: ID - 166984