McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Bropia.E (CA)

• W32.Bropia.J (Symantec)

• WORM_BROPIA.F (Trend)

Characteristics

This is a worm that propagates through MSN messenger and drops a variant of W32/Sdbot.worm.gen.t worm.

The worm drops a copy of itself into the C:\ directory using any of the following filenames:

• LOL.scr
• Webcam.pif
• bedroom-thongs.pif
• naked_drunk.pif
• LMAO.pif
• ROFL.pif
• underware.pif
• Hot.pif?
• new_webcam.pif

A copy of the worm is dropped in %SYSDIR% as msnus.exe , where %SYSDIR% is either C:\windows\system32 or C:\winnt\system32.

The W32/Sdbot.worm.gen.t worm is dropped as c:\winnt\system32\winhost.exe (124,416 bytes). The specified DATs include detection for this dropped bot.

When executed, the bot runs stealthily in the background. It makes the following changes to the registry:

• HKEY_CURRENT_USER\Software\Microsoft\OLE
  "win32" = winhost.exe
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
  \CurrentVersion\Run "win32" = winhost.exe
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
  \CurrentVersion \RunServices "win32" = winhost.exe

As with the multitude of other W32/Sdbot.worm variants, this one bears the following characteristics (the list is not exhaustive, just representative of some of the functionality the bot provides to the hacker):

• connects to a remote IRC server (destination port xx TCP) to await remote commands
• enables remote command to spawn functionality such as:
  • denial of service attack against remote machines
  • start FTP server
  • proxy (HTTP, SOCKS)
  • scan local subnet for machines to propagate to over the network. Specifically targets machines vulnerable to:
    • LSASS vulnerability
    • DComRPC vulnerability
    • Mydoom backdoor
    • Kuang backdoor
    • Netdevil backdoor
    • DameWare vulnerability
    • W32/Bagle backdoor
    • poorly secured machines (worm carries large list of usernames and passwords it attempts to brute force with)
• run keylogger on victim machine
• harvest data from victim machine. This includes:
  • passwords
  • keys/passwords for several applications which are harvested from a lookup on many Registry keys the worm carries
• browse/kill/start/pause running processes

Symptoms

• Upon executing this worm, the following picture is displayed. This picture is saved as C:\sexy.jpg (38, 804 bytes):

• Existence of the above files and registry keys
• The W32/Sdbot.worm.gen.t tries to connect to host freeupdate.homeip.net

Method of Infection

• Received as an attachment through MSN Messenger
• User would need to run the attachment manually in order to get infected.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Bropia.E (CA)

• W32.Bropia.J (Symantec)

• WORM_BROPIA.F (Trend)

Characteristics

Characteristics -

This is a worm that propagates through MSN messenger and drops a variant of W32/Sdbot.worm.gen.t worm.

The worm drops a copy of itself into the C:\ directory using any of the following filenames:

• LOL.scr
• Webcam.pif
• bedroom-thongs.pif
• naked_drunk.pif
• LMAO.pif
• ROFL.pif
• underware.pif
• Hot.pif?
• new_webcam.pif

A copy of the worm is dropped in %SYSDIR% as msnus.exe , where %SYSDIR% is either C:\windows\system32 or C:\winnt\system32.

The W32/Sdbot.worm.gen.t worm is dropped as c:\winnt\system32\winhost.exe (124,416 bytes). The specified DATs include detection for this dropped bot.

When executed, the bot runs stealthily in the background. It makes the following changes to the registry:

• HKEY_CURRENT_USER\Software\Microsoft\OLE
  "win32" = winhost.exe
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
  \CurrentVersion\Run "win32" = winhost.exe
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
  \CurrentVersion \RunServices "win32" = winhost.exe

As with the multitude of other W32/Sdbot.worm variants, this one bears the following characteristics (the list is not exhaustive, just representative of some of the functionality the bot provides to the hacker):

• connects to a remote IRC server (destination port xx TCP) to await remote commands
• enables remote command to spawn functionality such as:
  • denial of service attack against remote machines
  • start FTP server
  • proxy (HTTP, SOCKS)
  • scan local subnet for machines to propagate to over the network. Specifically targets machines vulnerable to:
    • LSASS vulnerability
    • DComRPC vulnerability
    • Mydoom backdoor
    • Kuang backdoor
    • Netdevil backdoor
    • DameWare vulnerability
    • W32/Bagle backdoor
    • poorly secured machines (worm carries large list of usernames and passwords it attempts to brute force with)
• run keylogger on victim machine
• harvest data from victim machine. This includes:
  • passwords
  • keys/passwords for several applications which are harvested from a lookup on many Registry keys the worm carries
• browse/kill/start/pause running processes

Symptoms

Symptoms -

• Upon executing this worm, the following picture is displayed. This picture is saved as C:\sexy.jpg (38, 804 bytes):

• Existence of the above files and registry keys
• The W32/Sdbot.worm.gen.t tries to connect to host freeupdate.homeip.net

Method of Infection

Method of Infection -

• Received as an attachment through MSN Messenger
• User would need to run the attachment manually in order to get infected.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A