Virus

W32/Bropia.B!worm.im

Analysis

This is a slow-spreading Internet worm for MSN Messenger and Windows environments. The virus was coded using Visual Basic 6 and spreads to other contacts listed in the contact list of MSN Messenger. The virus also carries an embedded copy of an RBot variant. The variant is identified with current AV db update as "W32/RBot.TX-net".
If the virus is received and run it will copy itself to the root of the C drive. It will then extract a copy of an IRC backdoor to the System32 folder as "lexplore.exe".
MSN Messenger API Hook
The virus is coded in Visual Basic 6, and uses imports from an MSN Messenger API in order to manipulate the application and send a copy of the virus to others. The virus also only focuses on installations of MSN Messenger which are stored in this path -
C:\Program Files\Messenger\msmsgs.exe
Failing to find MSN Messenger in this location, the virus is not likely to spread further. The virus uses the import "OMsn_OnContactStatusChange" as a trigger point - this trigger points the virus code to the instruction set to send a copy of the virus to other contacts listed in MSN Messenger. When a contact changes status, the virus targets that contact and sends a copy of the virus as one of these file names in an "instant message" -
Drunk_lol.pif
Webcam_004.pif
sexy_bedroom.pif
naked_party.pif
love_me.pif

Loading at Windows startup
The IRC backdoor component is registered to run at each Windows startup -

HKEY_CURRENT_USER\Software\Microsoft\OLE
"lexplore" = lexplore.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"lexplore" = lexplore.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"lexplore" = lexplore.exe

Anti-debugging Routine
The virus attempts to block access to the command line shell CMD.EXE but only blocks one aspect. The CMD.EXE shell application is stored in the System32 folder however if the user wants to use CMD.EXE, it can be executed from the "dllcache" folder without incident.
The virus also blocks attempts to enumerate tasks using Task Manager.

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option