W32/Bropia.P!worm.im

Alias/esIM-Worm.Win32.Bropia.j [KAV], IM-Worm.Win32.VB.e, W32.Bropia.J, W32/Bropia.J-net, W32/Bropia.P-net, W32/Toni.A, WORM_BROPIA.S [Trend]
Release DateFeb 25, 2005
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.339
Description

Visible Symptoms

  • The following files exist in the root folder of Drive C: LOL.scr, Webcam.pif, bedroom-thongs.pif, naked_drunk.pif, ROFL.pif, underware.pif, Hot.pif and new_webcam.pif.
  • The file msnus.exe exists in the System folder.
  • An image of a fried chicken is shown.
  • Audio levels are set to 0.

Detailed Analysis

  • Sample is written in Visual Basic.

  • Copies itself to the System folder as msnus.exe.

  • Creates several copies of itself to the root folder of Drive C. The copies have the following filenames:

    • LOL.scr
    • Webcam.pif
    • bedroom-thongs.pif
    • naked_drunk.pif
    • ROFL.pif
    • underware.pif
    • Hot.pif
    • new_webcam.pif

  • May drop the file cz.exe to the root folder of Drive C. When dropped, it is copied to the System folder as winhost.exe, and then executed. This file is detected as W32/Rbot.hg-bdr.

  • Drops the file sexy.jpg and opens it in a browser window, showing an image of a fried chicken.

  • Attempts to send itself via MSN messenger, and may monitor changes to the contact list.

  • Sets audio levels to 0.
Description Last Updated Date: Apr 11, 2006
Reference: ID - 166984