Antivirus: Virus Archives

Current client downloads:

	VScan Engine/Dat (SuperDat) -5300/2777.5511
	VirusScan Enterprise 8.5i (with Patch 6) - Windows NT/2000/XP/2003
	VirusScan Enterprise 7.1 - Windows NT/2000/XP/2003
	Virex (OS X) Engine/Def - 7.2(v1.1)/081029
	Virex (OS 9.x) Engine/Def - 6.2/071001
	Linux & Solaris Engine/Dat - 5.2.00/4.0.5196
	Symantec Antivirus - 10.1.7.7000
	Symantec Antivirus - 10.2
	Clean Boot 1.0
	Stinger v3.8.0 virus removal tool (Updated 09/10/07)

Current server downloads:

	VirusScan Enterprise 8.5
	VirusScan Enterprise 7.1
	NetShield NetWare - 4.6.2
	NetShield NetWare - 4.6.3
	NetShield NetWare Engine Update - 4.4.00
	ePO agent for NetWare
	ScanMail eManager - 3.0

	ePO 3.0/VirusScan 7.0 Presentation
	Virex 7.x Installation Instructions
	VirusScan FAQs
	VirusScan Instructions
	Additional Resources

List of Viruses

W32.Bropia.j (AKA W32/Bropia.g.worm) Last Updated 02/03/05 11:43AM

CIT has been notified of an MSN Message virus called W32.Bropia.j. W32.Bropia.j propagates using MSN Messenger and drops a trojan on the machine.

The W32.Bropia.j drops a copy of itself into the C:\directory and will use any of the following filenames:

Example:

LOL.scr
Webcam.pif
bedroom-thongs.pif
naked_drunk.pif
LMAO.pif
ROFL.pif
underware.pif
Hot.pif?
new_webcam.pif

A copy of the worm is dropped in either C:\windows\system32 or C:\winnt\system32 as msnus.exe.

When executed W32.Bropia.j will perform the following actions.

%System%\adaware.exe
%System%\VB6.EXE
%System%\lexplore.exe
%System%\Win32.exe

Note: %System% is a variable that refers to the System folder. By default this could be one of the following:

C:\Windows\System (Windows 95/98/Me)
C:\Winnt\System32 (Windows NT/2000)
C:\Windows\System32 (Windows XP)

If the above files are not present on the compromised computer then the file C:\cz.exe will be dropped and executed. The file will copy itself to %System%\winhost.exe and deletes C:cz.exe.

W32/Bropia.j will add the value: "win32"="winhost.exe" to the following registry keys: (So the worm will execute when windows is started)

HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\software\Microsoft\Windows\OLE

W32.Bropia.j worm will drop the C:\sexy.jpg and opens it in a browser window displaying the following image of a fried chicken:

w32.bropia.j.1.gif

W32.Bropia.j worm monitors for any changes in the status of MSN Messenger contacts. Once it has propagated it will send commands to MSN Messenger prompting the program to send a copy of the worm to the contacts listed. It will then set audio levels to zero.

The lastest SuperDAt from McAfee will detect and remove W32/Bropia.g.worm.

Symantec virus definitions released 2/02/05 and later detect and remove W32/Bropia.j. Definitions are available through the LiveUpdate feature of Symantec Antivirus.

For more information see:

http://vil.nai.com/vil/content/v_131539.htm from McAfee.
http://securityresponse.symantec.com/avcenter/venc/data/w32.bropia.j.html from Symantec.

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.

Contact NIH Help Desk for assistance:
866-319-4357 (toll free), 301-496-4357 (6-HELP) (local), 301-496-8294 (TDD)
http://ithelpdesk.nih.gov/support
Register for iForgotMyPassWord

Center for Information Technology
National Institutes of Health
Bethesda, Maryland 20892

Questions or Comments | Disclaimers | Privacy Policy

Health and Human Services
Washington, D.C. 20201

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -