Content

W32/Bropia.worm.p

Type
Virus
SubType
Worm
Discovery Date
02/16/2005
Length
30,720 bytes
Minimum DAT
4430 (02/18/2005)
Updated DAT
4910 (12/04/2006)
Minimum Engine
5.1.00
Description Added
02/18/2005
Description Modified
02/25/2005 11:52 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update February 25, 2005 --
 The assessment of this threat has been downgraded to Low-Profiled due to a decrease in prevalence.
-- 
This new worm variant propagates through MSN messenger. However, unlike previous variants it does not drop the W32/Sdbot.worm.gen worm.

The worm drops a copy of itself into the C:\ directory using any of the following filenames:

  • c:\Beautiful A**.pif
  • c:\John Kerry as Super Chicken.scr
  • c:\Kool.pif
  • c:\Me & you pic!.pif
  • c:\Me P***ed!.pif
  • c:\sexy.pif
  • c:\She Could Fit her A** in a Teacup.pif
  • c:\she's f***in fit.pif
  • c:\titanic2.jpg.pif

(* replaces text)

A copy of the worm is dropped in %SysDir% as Isass.exe , where %SysDir% is either C:\Windows\System32 or C:\WinNT\System32.

The following registry key is hooked to run the worm at startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    \CurrentVersion\Run "Isass" = %SysDir% \Isass.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    \CurrentVersion\RunServices "Isass" = %SysDir% \Isass.exe

The worm creates a mutex object on the infected machine using the name:

  • .:*-F*k-U-*:.

The following processes are disabled on the victim's machine to prevent the user from manually stopping and removing the worm:

  • Regedit.exe - registry editor
  • Mstask.exe - task manager
  • Msconfig.exe - configuration manager

Symptoms

Upon executing, the worm tries to display an image from:

  • http://www.[blocked].com/lol_f***_you_lol/l0l_53xy_l0l.jpg

A web counter on the page is incremented each time it is accessed. However, at the time of writing, the image is unavailable.

Method of Infection

  • Received as an attachment through MSN Messenger
  • User would need to run the attachment manually in order to get infected.

    • Removal

    All Users :
    Use the latest engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Intrushield

    The MSN file transfer associated with this threat can be detected by enabling the attack (0x40E04C00) 'IM: MSN (.NET) Messenger File Transfer.

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Characteristics

    Characteristics -

    -- Update February 25, 2005 --
     The assessment of this threat has been downgraded to Low-Profiled due to a decrease in prevalence.
    -- 
    This new worm variant propagates through MSN messenger. However, unlike previous variants it does not drop the W32/Sdbot.worm.gen worm.

    The worm drops a copy of itself into the C:\ directory using any of the following filenames:

    • c:\Beautiful A**.pif
    • c:\John Kerry as Super Chicken.scr
    • c:\Kool.pif
    • c:\Me & you pic!.pif
    • c:\Me P***ed!.pif
    • c:\sexy.pif
    • c:\She Could Fit her A** in a Teacup.pif
    • c:\she's f***in fit.pif
    • c:\titanic2.jpg.pif

    (* replaces text)

    A copy of the worm is dropped in %SysDir% as Isass.exe , where %SysDir% is either C:\Windows\System32 or C:\WinNT\System32.

    The following registry key is hooked to run the worm at startup:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
      \CurrentVersion\Run "Isass" = %SysDir% \Isass.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
      \CurrentVersion\RunServices "Isass" = %SysDir% \Isass.exe

    The worm creates a mutex object on the infected machine using the name:

    • .:*-F*k-U-*:.

    The following processes are disabled on the victim's machine to prevent the user from manually stopping and removing the worm:

    • Regedit.exe - registry editor
    • Mstask.exe - task manager
    • Msconfig.exe - configuration manager

    Symptoms

    Symptoms -

    Upon executing, the worm tries to display an image from:

    • http://www.[blocked].com/lol_f***_you_lol/l0l_53xy_l0l.jpg

    A web counter on the page is incremented each time it is accessed. However, at the time of writing, the image is unavailable.

    Method of Infection

    Method of Infection -

  • Received as an attachment through MSN Messenger
  • User would need to run the attachment manually in order to get infected.

    • Removal -

    Removal -

    All Users :
    Use the latest engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Intrushield

    The MSN file transfer associated with this threat can be detected by enabling the attack (0x40E04C00) 'IM: MSN (.NET) Messenger File Transfer.

    Variants

    Variants -

      N/A