F-Secure Virus Descriptions : Bropia.A
[Summary] | [Detailed Description] | [Detection]
Bropia.A is a worm that uses MSN messenger for spreading by sending itself
as "Drunk_lol.pif", "Webcam_004.pif", "sexy_bedroom.pif", "naked_party.pif"
or "love_me.pif". It also drops a variant of Rbot on the infected computer.
When run, the worm checks files
adaware.exe
VB6.EXE
lexplore.exe
Win32.exe
If these files are not found, it drops file
oms.exe
and executes it. This file is a variant of Rbot. When "oms.exe" is run,
it copies itself as "lexplore.exe" and adds the following registry keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"lexplore" = "lexplore"
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"lexplore" = "lexplore"
This ensures that it will be executed at next system startup. The bot
can be used as a backdoor, collecting system information, logging keystrokes,
relaying spam and for various other purposes.
Brobia.A can also disable mouse right button and manipulate Windows mixer
volume settings.
MSN spreading
The worm copies itself in C-directory using one of the following
filenames:
Drunk_lol.pif
Webcam_004.pif
sexy_bedroom.pif
naked_party.pif
love_me.pif
Then it attempts to send this file using MSN messenger to all active
MSN contacts. The MSN messenger window has to be open on the infected
computer's desktop for this to be successful.
F-Secure Anti-Virus detects Brobia.A with the following update:
[FSAV_Database_Version]
Version=2005-01-20_01
Technical Details:
Jarkko Turkulainen, Jan 20th, 2005;
F-Secure Corporation
|
