Trend Alert: WORM_BROPIA.F

As of February 2, 2005, 6:55 PM (GMT - 08:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_BROPIA.F. TrendLabs has received numerous infection reports indicating that this malware is spreading in the Bolivia, U.S., Korea, Taiwan, Mexico, and China.

This is a memory-resident worm that drops a copy of itself in the root folder using different interesting file names with a PIF extension. It attempts to propagate by sending copies of itself to all MSN Messenger contacts.

It also drops the file WINHOST.EXE in the Windows system folder. Trend Micro detects the said file as WORM_AGOBOT.AJC.

It has an anti-debugging technique, which enables it not to run if any of the following debugging applications are present on the affected system:
? NT-ice
? Softice

It also drops and displays an image file, named SEXY.JPG.


TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy 144
Official Pattern Release 2.390.00
Damage Cleanup Template 505


For more information on WORM_BROPIA.F, you can visit our Web site at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BROPIA.F

 

This worm caused a LiveUpdate for Norton, here is Symantec's writeup:
http://securityresponse.symantec.com/avcenter/venc/data/w32.bropia.j.html

W32.Bropia.J is a worm that propagates using MSN Messenger and drops a variant of W32.Spybot.Worm.

Also Known As: WORM_BROPIA.F [Trend Micro]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

 

Panda: If Messenger displays a chicken with bikini

- If your Messenger displays a chicken with a bikini, your PC
has been infected by the new Bropia.E and Gaobot.CTX worms -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)​

Madrid, February 3, 2005 - PandaLabs has detected Bropia.E and Gaobot.CTX, two malicious code that spread together. Bropia.E sends itself out using the instant messaging program MSN Messenger disguised as an image file with a variable name taken from a long list of options and a .pif or .scr extension. Some examples of the name of this file are: bedroom-thongs.pif, LMAO.pif or LOL.scr.

If the user runs the file, it displays a curious image -a roast chicken with a bikini- on screen. However, this image is just a cover up to hide the real actions carried out by the worm. This malicious code sends itself out to all the contacts in MSN Messenger and creates various files on the computer, including a file called winhost.exe, which actually contains the Gaobot.CTX worm.

Gaobot.CTX carries out the actions that pose the biggest threat to the computer, as it connects to IRC channels and waits for commands from a remote user. This allows a hacker to download all kinds of files to the affected computer: spyware, adware, other viruses, etc.

Panda Software clients who already have the new TruPrevent Technologies to combat unknown viruses and intruders installed have been protected from these files being downloaded to their computers, as these preventive technologies have been able to detect and block Gaobot.CTX without needing to be able to identify it first (more information about the new TruPrevent Technologies at http://www.pandasoftware.com/truprevent).

"As a rule of thumb, you should never open a file you receive through instant messaging systems without scanning it first with an updated antivirus. A growing number of viruses are using these applications to spread, and their biggest danger lies in the recipient running executable files without thinking twice, as they are sent from a known address. This also implies that there is risk of them spreading rapidly via instant messaging, leaving poorly protected networks vulnerable to becoming infected in a matter of seconds," warns Luis Corrons, head of PandaLabs.

As Panda Software's international tech support network has already detected incidents caused by this worm, Panda Software advises users to take precautions and update their antivirus software. Panda Software has made the corresponding updates available to its clients to detect and disinfect these new malicious code.

Panda Software's clients can already access the updates for installing the new TruPrevent Technologies along with their antivirus protection, providing a preventive layer of protection against new malicious code. For users with a different antivirus program installed, Panda TruPrevent Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection. More information about TruPrevent Technologies at http://www.pandasoftware.com/truprevent.

In addition, users can scan their computers online for free with Panda ActiveScan, available at http://www.pandasoftware.com/

More information about Bropia.E and Gaobot.CTX at Panda Software's Virus Encyclopedia, at http://www.pandasoftware.com/virus_info/encyclopedia/

 

TrendNewsLetter: Funky Chicken - WORM_BROPIA.F

On February 2 a Medium Risk alert was declared for WORM_BROPIA.F

, a memory-resident, non-destructive worm that propagates via MSN Messenger by sending a copy of itself using various file names, to all online contacts. The worm also drops the file SEXY.JPG which displays an image, and attempts to drop and execut a bot program. This worm is currently spreading in-the-wild. It infects computers running Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this worm drops a copy of itself in the Windows system folder MSNUS.EXE. It also drops a copy of itself in the root folder (usually C:\) using any of the following file names:

* Bedroom-thongs.pif
* Hot.pif
* LMAO.pif
* LOL.scr
* Naked_drunk.pif
* New_webcam.pif
* ROFL.pif
* underware.pif
* Webcam.pif

It also drops and executes the file SEXY.JPG in the same folder. This .JPG file displays an image. The worm propagates via MSN Messenger by sending a copy of itself to all online contacts, using any of the file names listed above. It also attempts to propagate via Windows Messenger, however, the application automatically blocks the file transfer.

This worm attempts to drop and execute the file CZ.EXE in the root folder. If successfully dropped, the file CZ.EXE then drops and executes a copy of itself in the Windows system folder as WINHOST.EXE. However, it first checks whether any of the following malicious files already exist on the affected system:

* DNSSERV.EXE
* WINIS.EXE

If any of these files already exist, the worm will not drop the file WINHOST.EXE and will instead proceed with its propagation routine.

This worm also has an anti-debugging technique. It will not run if any of the following debugging applications are currently running on the affected system:

* NT-ice
* Softice

It is also capable of setting the affected system's volume levels to zero, which may be used to prevent users from hearing any sound prompts, especially those that may be coming from antivirus and security applications.

If you would like to scan your computer for WORM_BROPIA.F or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_BROPIA.F is detected and cleaned by Trend Micro pattern file #2.390.00 and above.