Virus Detail

Description

Back to top

Method of Infection

When run, Bropia.A creates two files in the root directory of the current drive (usually c:\). The first file is a copy of the worm itself, using one of the following file names:

Drunk_lol.pif
Webcam_004.pif
sexy_bedroom.pif
naked_party.pif
love_me.pif

The second file is called "oms.exe", and is a variant of the Rbot worm family, called Win32/Rbot.BMB. For more information on Win32/Rbot, please see elsewhere in our encyclopedia.

Bropia.A does not install itself in any other way; it will not run automatically when Windows is restarted.

Back to top

Method of Distribution

Via MSN Messenger

Bropia.A spreads by sending itself to contacts using MSN Messenger. We have received reports that it can spread using either MSN Messenger or Windows Messenger, both on internal networks and the Microsoft .NET Messenger service.

It sends itself using one of the following names:

Drunk_lol.pif
Webcam_004.pif
sexy_bedroom.pif
naked_party.pif
love_me.pif

Back to top

Payload

Installs Additional Malware

Bropia.A drops and executes a file called "oms.exe", which is a worm and IRC bot called Win32/Rbot.BMB. If any of the following files exist, however, it will not drop Rbot.BMB:

• %System%\adaware.exe
• %System%\VB6.EXE
• %System%\lexplore.exe
• %System%\Win32.exe

Modifies System Settings

Bropia.A also attempts to stop the user from running several programs, such as Windows Task Manager. It disables the right mouse button, and the 'ctrl-alt-delete' key combination. It also opens the files %System%\cmd.exe and %System%\taskmgr.exe and locks them, so they can not be executed.

The worm also sets the audio volume to zero.

Analysis by Hamish O'Dea

Back to top