Are we protected against Bropia?

New Worm Piggybacks on MSN Messaging

New Worm Piggybacks on MSN Messaging By Erika Morphy
NewsFactor Network
January 24, 2005 11:07AM

A new worm called "Bropia.A" spreads through the MSN Messenger and Windows Messenger instant messaging clients, security firms report. The worm loads a Trojan horse that can log keystrokes, collect system information and spread IM spam. See Complete Story


A new worm is traveling through the MSN network, piggybacking on MSN Messenger and Windows Messenger IM client applications.

Called "Bropia.A," the worm sends a copy of itself to all contacts in MSN Messenger and Windows Messenger instant messaging Latest News about instant messaging client applications. It then downloads a Trojan horse program, Rbot, which opens a back door into Windows systems.

The Trojan horse application can then log the keystrokes of the user, collect system information, and spread spam (or "SPIM," as it is called) on instant messaging networks, security Latest News about Security firms report. It also disables the right mouse button of the infected machine to block access to context-sensitive menus, and makes changes to Windows volume settings.

Targeting IM

Bropia.A is the latest indication that hackers and spammers no longer are content with spreading malware through e-mail. Akonix, one of the security firms that first sounded the alarm about Bropia, says spim is a growing concern for enterprises, even though its propagation is minuscule compared to spam.

"Unmanaged public instant messaging is quickly becoming one of the most easily exploitable threat vectors into the enterprise," said CEO Peter Shaw. "The Bropia.A worm is just the latest in a series of attacks that are targeting IM, and organizations are quickly realizing that connecting to public instant messaging networks without an IM security and management gateway in place is analogous to connecting to the Internet without a firewall."

Not So Funny

This is not the first time MSN Messenger has been targeted. Last October, the W32/Funner worm spread across the MSN Messenger network sending users a message and attachment that, if opened, infected the machine by installing to its registry and then replicating itself. Funner worm caused hardly any damage, since it was relatively easy to contain.

But few expect the situation to remain static. Most security and AV software providers believe that IM viruses -- like the viruses that have attempted to targetmobile phones Latest News about mobile phones -- eventually will spread in the wild like e-mail worms do. The virus writers are quite aware that IM is the low-hanging fruit in terms of easy exploitation, Sophos security analyst Greg Mastoras tells NewsFactor, and thus they will try and try again.

 

Samples have been submitted and Eset are working on an update as we speak.

Cheers

 

A further update, in fact we are protected, Nod32 detects it Heuristically, so yet again Nod32 shines

 

NOD32 detect this using signatures too as Win32/VB.NBF.

 

I think NOD32 doesn't detect Bropia worm by its heuristics.

In the early morning of 1/20/2005 (asian time) many of my (careless) friends got infected by Bropia worm came via MSN. They use McAfee, Norton, NOD32, Avast, AVG as far as I know all these AVs fail to detect Bropia worm at the first place and seems that Kaspersky is the only AV that can deal with this worm at that moment.

http://www.sarc.com/avcenter/venc/data/w32.bropia.html

 

Indeed it did, and indeed it does

 

Good to know that NOD32 is looking out for us.

 

I think NOD32 doesn't detect Bropia worm by its heuristics.

In the early morning of 1/20/2005 (asian time) many of my (careless) friends got infected by Bropia worm came via MSN. They use McAfee, Norton, NOD32
---------------------------

I would like a little more elaboration on this...he says NOD32 did NOT detect it.

Saying NOD32 "detected it and indeed it does" is not sufficient. Symantec had definitions on Jan 19th....when DID NOD32 detect it exactly? Saying it detected it heuristically goes against what the OP said.....wasnt' detected by NOD32. (Of course we don't know what settings were used for NOD32).


Also, why was Blackspears post edited by another mod?

 

There was a screenshot that showed that Nod32 indeed caught it Heuristically.

The screenshot was removed, as it was not supposed to be shown (I wasn’t aware of this, now I am).

 

There are screenshots posted in this forum all the time! Why was the screenshot removed?

 

Only screenshots containing links to real viruses and those containing confidential information are removed.

 

So are we protected against it?

 

Yes, we are.

 

Not for the latest release.

Can Eset release protection for Bropia-M please, we have a machine that was infected and it was fairly difficult to remove it. The virus seems to also have a bug as it managed to stop windows from booting, though that could have been by design! So far I've only found Sophos have an update for it http://www.sophos.com/virusinfo/analyses/w32bropiam.html