Bropia.A is a worm that uses MSN messenger for spreading by sending itself as "Drunk_lol.pif", "Webcam_004.pif", "sexy_bedroom.pif", "naked_party.pif" or "love_me.pif". It also drops a variant of Rbot on the infected computer.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
When run, the worm checks files
adaware.exe VB6.EXE lexplore.exe Win32.exe
If these files are not found, it drops file
and executes it. This file is a variant of Rbot. When "oms.exe" is run, it copies itself as "lexplore.exe" and adds the following registry keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "lexplore" = "lexplore" [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices] "lexplore" = "lexplore"
This ensures that it will be executed at next system startup. The bot can be used as a backdoor, collecting system information, logging keystrokes, relaying spam and for various other purposes.Brobia.A can also disable mouse right button and manipulate Windows mixer volume settings.
The worm copies itself in C-directory using one of the following filenames:
Drunk_lol.pif Webcam_004.pif sexy_bedroom.pif naked_party.pif love_me.pif
Then it attempts to send this file using MSN messenger to all active MSN contacts. The MSN messenger window has to be open on the infected computer's desktop for this to be successful.
F-Secure Anti-Virus detects Brobia.A with the following update:
Technical Details: Jarkko Turkulainen, Jan 20th, 2005