Category :


Type :


Aliases :

Bropia.F, W32/Bropia.F, IM-Worm.Win32.Exir.a


Bropia.F is a minor variant of Bropia.A. Like the previous variants, it uses MSN messenger for spreading. It also drops a variant of Rbot on the infected system.


Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

When run, the worm copies itself as "msnus.exe" in the Windows system directory. Then it checks files:


If these files are not found, it drops file "cz.exe" and executes it. This file is a variant of Rbot. When "cz.exe" is run, it copies itself as "winhost.exe" in the Windows system directory and adds the following registry keys:

"win32" = "%SysDir%\winhost.exe"

This ensures that it will be executed at next system startup. The bot can be used as a backdoor, collecting system information, logging keystrokes, relaying spam and for various other purposes.Brobia.F also drops a file "sexy.jpg" and opens it. On default installation of Windows, the program associated with jpg-extension is usually Internet Explorer. When opened with Internet Explorer, the picture looks like this:

MSN spreading

The worm copies itself in C-directory using one of the following filenames:


Then it attempts to send this file using MSN messenger to all active MSN contacts. The recipient has to accept and open the file to get infected by the worm.