Sophos: W32/Bropia-P {Trend: WORM_BROPIA.S}

Name W32/Bropia-P
Type Worm
How it spreads Chat programs
Affected operating systems Windows

Side effects:
* Drops more malware
* Leaves non-infected files on computer

Aliases:
WORM_BROPIA.S
W32/Bropia.worm.q

Protection available since 22 February 2005 09:44:09 (GMT)

W32/Bropia-P is a worm for the Windows platform.

The worm monitors the status of MSN Messenger and sends a copy of itself to Messenger contacts.

W32/Bropia-P drops a file to the Windows system folder named winis.exe which is detected by Sophos's anti-virus products as W32/Rbot-WI.

Further Technical Details: http://www.sophos.com/virusinfo/analyses/w32bropiap.html

 

TrendMicro: WORM_BROPIA.S

TrendMicro: WORM_BROPIA.S

Like the earlier BROPIA variants, this memory-resident worm spreads copies of itself via MSN messenger, a popular instant messaging application, using attractive file names.

This worm arrives as a Win32 .EXE file. Upon execution, this non-encrypted, memory-resident worm drops another file which Trend Micro detects as WORM_RBOT.AOR.

The dropped file can have the filename WINIS.EXE. Its attributes are set to hidden, system and read-only. After dropping, WORM_BROPIA.S executes this file.

It drops a JPEG picture file in the root folder, which is usually C:\. It opens the image with Internet Explorer (IE).

It also sets the attributes of this dropped file to read-only, hidden and system to avoid easy detection. After dropping, it executes this file and terminates itself.

The worm propagates using MSN Messenger, a popular chat program. It sends its copy to all contacts found in the MSN Messenger application.

Technical Details: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BROPIA.S&VSect=T

 

Symantec: W32.Bropia.P

Symantec: W32.Bropia.P

W32.Bropia.P is a worm that drops a variant of W32.Spybot.Worm and propagates using MSN Messenger.

Some Technical Details:

When W32.Bropia.P is executed, it performs the following actions:

1. Drops the following file and executes it: C:\exe.exe
Note: The dropped file is detected as a variant of W32.Spybot.Worm.

2. Copies C:\exe.exe as: %System%\winis.exe
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

3. Adds the value: "winis" = "winis.exe"
to the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_CURRENT_USER\Software\Microsoft\OLE
HKEY_CURRENT_USER\System\CurrentControlSet\Control\Lsa

so that the variant of W32.Spybot.Worm is executed every time Windows starts.

4. Drops C:\pic.jpg and displays the file using Internet Explorer.

5. Attempts to send itself through MSN Messenger. The worm monitors for any change in the status of MSN Messenger contacts. The worm then sends commands to MSN Messenger, which prompts MSN Messenger to send a copy of the worm to the contacts whose status has changed. The message has the following characteristics:

{Further Details and Removal Instructions at above link}.