Threat Description

Bropia.A

Details

Aliases: Bropia.A, IM-Worm.Win32.VB.a
Category: Malware
Type: Worm
Platform: W32

Summary



Bropia.A is a worm that uses MSN messenger for spreading by sending itself as "Drunk_lol.pif", "Webcam_004.pif", "sexy_bedroom.pif", "naked_party.pif" or "love_me.pif". It also drops a variant of Rbot on the infected computer.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



When run, the worm checks files

adaware.exe
 VB6.EXE
 lexplore.exe
 Win32.exe

If these files are not found, it drops file

oms.exe

and executes it. This file is a variant of Rbot. When "oms.exe" is run, it copies itself as "lexplore.exe" and adds the following registry keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "lexplore" = "lexplore"
 [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
 "lexplore" = "lexplore"

This ensures that it will be executed at next system startup. The bot can be used as a backdoor, collecting system information, logging keystrokes, relaying spam and for various other purposes.Brobia.A can also disable mouse right button and manipulate Windows mixer volume settings.

MSN spreading

The worm copies itself in C-directory using one of the following filenames:

Drunk_lol.pif
 Webcam_004.pif
 sexy_bedroom.pif
 naked_party.pif
 love_me.pif

Then it attempts to send this file using MSN messenger to all active MSN contacts. The MSN messenger window has to be open on the infected computer's desktop for this to be successful.



Detection


F-Secure Anti-Virus detects Brobia.A with the following update:
Database: 2005-01-20_01



Technical Details: Jarkko Turkulainen, Jan 20th, 2005


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Disinfect your PC

F-Secure Anti-Virus will disinfect your PC and remove all harmful files

Learn More