Skip over global navigation links

Bropia

W32.Bropia.j (AKA W32/Bropia.g.worm) Last Updated 02/03/05 11:43AM

CIT has been notified of an MSN Message virus called W32.Bropia.j. W32.Bropia.j propagates using MSN Messenger and drops a trojan on the machine.

The W32.Bropia.j drops a copy of itself into the C:\directory and will use any of the following filenames:

Example:

  • LOL.scr
  • Webcam.pif
  • bedroom-thongs.pif
  • naked_drunk.pif
  • LMAO.pif
  • ROFL.pif
  • underware.pif
  • Hot.pif?
  • new_webcam.pif

A copy of the worm is dropped in either C:\windows\system32 or C:\winnt\system32 as msnus.exe.

When executed W32.Bropia.j will perform the following actions.

  • %System%\adaware.exe
  • %System%\VB6.EXE
  • %System%\lexplore.exe
  • %System%\Win32.exe

Note: %System% is a variable that refers to the System folder. By default this could be one of the following:
  • C:\Windows\System (Windows 95/98/Me)
  • C:\Winnt\System32 (Windows NT/2000)
  • C:\Windows\System32 (Windows XP)

If the above files are not present on the compromised computer then the file C:\cz.exe will be dropped and executed. The file will copy itself to %System%\winhost.exe and deletes C:cz.exe.

W32/Bropia.j will add the value: "win32"="winhost.exe" to the following registry keys: (So the worm will execute when windows is started)

  • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\OLE

W32.Bropia.j worm will drop the C:\sexy.jpg and opens it in a browser window displaying the following image of a fried chicken:

w32.bropia.j.1.gif

W32.Bropia.j worm monitors for any changes in the status of MSN Messenger contacts. Once it has propagated it will send commands to MSN Messenger prompting the program to send a copy of the worm to the contacts listed. It will then set audio levels to zero.

The lastest SuperDAt from McAfee will detect and remove W32/Bropia.g.worm.

Symantec virus definitions released 2/02/05 and later detect and remove W32/Bropia.j. Definitions are available through the LiveUpdate feature of Symantec Antivirus.

For more information see:

From McAfee.
From Symantec.

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.

Up to Top

This page last reviewed: September 12, 2008