Virus Detail

Win32.Bropia.K

Date Published:
14 Feb 2005

Last Updated:
21 Feb 2005

Threat Assessment

Overall Risk: Low

Wild: Low

Destructiveness: Low

Pervasiveness: Medium

Characteristics

Type : Worm

Category : Win32

Also known as: Win32/Bropia.M!Worm, WORM_BROPIA.N (Trend), W32/Bropia.worm.n (McAfee), W32/Bropia-M (Sophos), IM-Worm.Win32.Bropia.f (Kaspersky)

Immediate Protection Info

Signature	Product	Removal Instructions
23.68.31	eTrust Antivirus v7/8* (InoculateIT Engine)	View
11.x/8932	eTrust Antivirus v7/8* (Vet Engine)	View
6.1x/6070	eTrust EZ Antivirus 6.1x	View
6.2x/8932	eTrust EZ Antivirus 6.2x	View
6.3x/8932	eTrust EZ Antivirus 6.3x	View
6.4x/8932	eTrust EZ Antivirus 6.4x	View
7.x/8932	eTrust EZ Antivirus 7.x	View
10.6x/8932	Vet Anti-Virus 10.6x	View

Tools

Signature file information

Scan for viruses

Submit a Virus Sample

Description

Method of Infection

Method of Distribution

Payload

Description

Win32.Bropia.K is a worm that spreads via MSN Messenger. It may also be able to spread using Windows Messenger.

Method of Infection

When executed, Bropia.K copies itself to %System%\Isass.exe and modifies the registry to execute this file at each Windows start. The worm modifies one of the following entries, selected at random:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvMsnW = "%System%\Isass.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Anti = "%System%\Isass.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Isass = "%System%\Isass.exe"

Bropia.K also adds the same selected value to the RunServices key:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\NvMsnW = "%System%\Isass.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Anti = "%System%\Isass.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Isass = "%System%\Isass.exe"

Bropia.K copies itself to the root directory of the current drive (usually c:\) with the following file names:

Beautiful Ass.pif
John Kerry as Super Chicken.scr
Kool.pif
Me & you pic!.pif
Me Pissed!.pif
sexy.pif
She Could Fit her Ass in a Teacup.pif
she's fuckin fit.pif
titanic2.jpg.pif

The worm drops an HTML web page with the title ".:*-l0l-53xy-l0l-*:." in the current directory as "l0l_53xy_l0l.html" and then attempts to open it using Internet Explorer. This page displays a racist message.
Note: This will fail if IE is not installed on the system.

Bropia.K also runs in a hidden window and uses the mutex ".:*-Fuk-U-*:." to avoid running multiple copies of itself simultaneously.

Method of Distribution

Via MSN Messenger

If MSN Messenger is installed to the following directory (that is, the default install directory): C:\Program Files\Messenger\, Bropia.K attempts to spread using one of the files it previously created in the root of the current drive:

Beautiful Ass.pif
John Kerry as Super Chicken.scr
Kool.pif
Me & you pic!.pif
Me Pissed!.pif
sexy.pif
She Could Fit her Ass in a Teacup.pif
she's fuckin fit.pif
titanic2.jpg.pif

While attempting to spread Bropia.K swaps the user's mouse buttons. When Bropia has finished spreading, the worm resets the button's functions to the 'normal' default setting (users with non-standard mouse button function settings will not have their settings restored).

Bropia searches for open Messenger windows. For each window found, it hides the window from the user's view, and sends a copy of itself to the remote contact.

Note: Bropia.K does not make the window visible again, so it will appear to the user that the window just closed itself. This allows Bropia to perform the file transfer un-interrupted and undetected.