Sophos: W32/Bropia-P {Trend: WORM_BROPIA.S}

Discussion in 'malware problems & news' started by Randy_Bell, Feb 22, 2005.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Name W32/Bropia-P
    Type Worm
    How it spreads Chat programs
    Affected operating systems Windows

    Side effects:
    * Drops more malware
    * Leaves non-infected files on computer

    Aliases:
    WORM_BROPIA.S
    W32/Bropia.worm.q

    Protection available since 22 February 2005 09:44:09 (GMT)

    W32/Bropia-P is a worm for the Windows platform.

    The worm monitors the status of MSN Messenger and sends a copy of itself to Messenger contacts.

    W32/Bropia-P drops a file to the Windows system folder named winis.exe which is detected by Sophos's anti-virus products as W32/Rbot-WI.

    Further Technical Details: http://www.sophos.com/virusinfo/analyses/w32bropiap.html
     
  2. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    TrendMicro: WORM_BROPIA.S

    TrendMicro: WORM_BROPIA.S

    Like the earlier BROPIA variants, this memory-resident worm spreads copies of itself via MSN messenger, a popular instant messaging application, using attractive file names.

    This worm arrives as a Win32 .EXE file. Upon execution, this non-encrypted, memory-resident worm drops another file which Trend Micro detects as WORM_RBOT.AOR.

    The dropped file can have the filename WINIS.EXE. Its attributes are set to hidden, system and read-only. After dropping, WORM_BROPIA.S executes this file.

    It drops a JPEG picture file in the root folder, which is usually C:\. It opens the image with Internet Explorer (IE).

    It also sets the attributes of this dropped file to read-only, hidden and system to avoid easy detection. After dropping, it executes this file and terminates itself.

    The worm propagates using MSN Messenger, a popular chat program. It sends its copy to all contacts found in the MSN Messenger application.

    Technical Details: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BROPIA.S&VSect=T
     
    Last edited: Feb 22, 2005
  3. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Symantec: W32.Bropia.P

    Symantec: W32.Bropia.P

    W32.Bropia.P is a worm that drops a variant of W32.Spybot.Worm and propagates using MSN Messenger.

    Some Technical Details:

    When W32.Bropia.P is executed, it performs the following actions:

    1. Drops the following file and executes it: C:\exe.exe
    Note: The dropped file is detected as a variant of W32.Spybot.Worm.

    2. Copies C:\exe.exe as: %System%\winis.exe
    Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

    3. Adds the value: "winis" = "winis.exe"
    to the following registry keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
    HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
    HKEY_CURRENT_USER\Software\Microsoft\OLE
    HKEY_CURRENT_USER\System\CurrentControlSet\Control\Lsa

    so that the variant of W32.Spybot.Worm is executed every time Windows starts.

    4. Drops C:\pic.jpg and displays the file using Internet Explorer.

    5. Attempts to send itself through MSN Messenger. The worm monitors for any change in the status of MSN Messenger contacts. The worm then sends commands to MSN Messenger, which prompts MSN Messenger to send a copy of the worm to the contacts whose status has changed. The message has the following characteristics:

    {Further Details and Removal Instructions at above link}.
     
Thread Status:
Not open for further replies.