Bropia.J is a minor variant of Bropia.G worm. Like the previous variants,
it uses MSN messenger for spreading. It also drops a variant of Rbot
on the infected system.
When run, the worm checks for files
win32s.exe
winis.exe
svchosts.exe
iexplore.exe
This check is made to prevent the worm for installing it again on
infected system.
If the files are not found, it drops file "exe.exe" and executes it.
This file is a variant of Rbot. The bot can be used as a backdoor,
collecting system information, logging keystrokes, relaying spam and
for various other purposes.
Brobia.J also drops a file "pic.jpg" and opens it. On default installation
of Windows, the program associated with jpg-extension is usually Internet
Explorer. The picture presents a woman in light clothing.
MSN spreading
The worm attempts to send one of the following messages to MSN
Messenger contacts:
LOOK! <URL to worm> :-O
paris hilton got hacked!! <URL to worm> :D
Huge Turd hahaah! <URL to worm> :P
nice! <URL to worm> :P
ownage! <URL to worm> :D
Where <URL to worm> is a http-link to worm's file. Possible file names
in the URLs are
scary.pif
paris-hilton.pif
massive-turd.pif
sexy-pitch.pif
w00t!.pif
FUNNY-SHIT!.pif
The links are static addresses. At the time of this writing, the files
has been removed from the servers.
F-Secure Anti-Virus detects Brobia.J with the following update:
[FSAV_Database_Version]
Version=2005-02-22_01
Technical Details:
Jarkko Turkulainen, Feb 22rd, 2005;
F-Secure Corporation
