IM-Worm.Win32.Bropia.aj
| Alert Level : | Medium |
| Discovered: | Feb 08 2005 |
| Tag: | IM Worm |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
This worm spreads via the Internet using MSN Messenger. It is written in Visual Basic and is approximately 200 KB in size.
The worm contains a backdoor program, Backdoor.Win32.Rbot.hg which it will extract from itself and launch on the victim machine.
InstallationOnce launched, the worm copies itself to the root directory (as a rule, C:\) under one of the following names:
- bedroom-thongs.pif
- Hot.pif
- LMAO.pif
- LOL.scr
- naked_drunk.pif
- new_webcam.pif
- ROFL.pif
- underware.pif
- Webcam.pif
Also the worm copies itself to the Windows system directory as "msnus.exe":
%System%\msnus.exe
The worm searches for the following files:
- dnsserv.exe
- winhost.exe
- winis.exe
If these files are not found, IM-Worm.Win32.VB.e drops file "cz.exe" and executes it. This file is a backdoor. Kaspersky Anti-Virus will detect this component as Backdoor.Win32.Rbot.hg.
When "cz.exe" is run, it copies itself as "winhost.exe" in the Windows system directory.
Then it registers itself in the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices] [HKCU\Software\Microsoft\OLE] "win32" = "winhost.exe"
Also the worm creates file "sexy.jpg" in the root directory and opens it, displaying the following image:
Propagation via MSN
When launched, the worm accesses the MSN Messenger contact list and sends itself to all contacts under one of the abovementioned file names.
PayloadThe worm sets the volume levels to zero.
0
Removal IM-Worm.Win32.Bropia.aj instructions:
0
Need help? Live computer support via remote at SupportSpace |
