Bropia.A is a worm that uses MSN messenger for spreading by sending itself as "Drunk_lol.pif", "Webcam_004.pif", "sexy_bedroom.pif", "naked_party.pif" or "love_me.pif". It also drops a variant of Rbot on the infected computer.
Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
When run, the worm checks files
adaware.exe VB6.EXE lexplore.exe Win32.exe
If these files are not found, it drops file
and executes it. This file is a variant of Rbot. When "oms.exe" is run, it copies itself as "lexplore.exe" and adds the following registry keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "lexplore" = "lexplore" [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices] "lexplore" = "lexplore"
This ensures that it will be executed at next system startup. The bot can be used as a backdoor, collecting system information, logging keystrokes, relaying spam and for various other purposes.Brobia.A can also disable mouse right button and manipulate Windows mixer volume settings.
The worm copies itself in C-directory using one of the following filenames:
Drunk_lol.pif Webcam_004.pif sexy_bedroom.pif naked_party.pif love_me.pif
Then it attempts to send this file using MSN messenger to all active MSN contacts. The MSN messenger window has to be open on the infected computer's desktop for this to be successful.
F-Secure Anti-Virus detects Brobia.A with the following update: