iDefense iAlert
February 03, 2005@05:02:42 GMT
High Threat Version: 1 2/03/2005@05:04:24 GMT
Flash ID#406822:
Bropia.D Worm Propagating in the Wild via MSN Messenger: Bropia.D is a new variant of the Bropia worm (ID# 406325, Jan. 20, 2005) that propagates via MSN Messenger (MSNM). iDEFENSE rates Bropia.D as a HIGH-level threat because of the following factors:
• MSN Messenger is a popular instant messaging solution.
• MSN Messenger prompts immediate action when a message is received.
• Several reliable sources have indicated that Bropia.D is spreading rapidly in the Far East and the United States at the time of this writing.
• Bropia.D has been updated for stronger social engineering, displaying a humorous chicken image when executed. It also has suggestive file names to prompt users into executing the malicious file.
• Bropia.D installs an Internet Relay Chat (IRC) bot, enabling the attacker to remotely control the infected computer.
Bropia.D requires user interaction to install itself on the target computer and drop its secondary payload. Well trained users are not likely to provide the interaction required to install Bropia.D.
To spread to other computers, Bropia.D attempts to send a copy of itself over MSNM. A copy of the worm is sent to all active MSNM contacts as any of the SCR or PIF files noted below. The end user must save and execute the file for the worm to infect the computer. If executed, multiple files may be installed on the computer.
Fingerprint information for Bropia.D follows:
File Names:
• Bedroom-thongs.pif
• Hot.pif
• LMAO.pif
• LOL.scr
• Naked_drunk.pif
• New_webcam.pif
• ROFL.pif
• Underware. Pif
• Webcam.pif
• Sexy.jpg [Jpg image pops upon execution]
• [Windows System directory]\msnus.exe
• [Windows System directory]\winhost.exe [IRCBot]
File Size: 184,928 bytes (Bropia.D), 124,426 bytes (Bot Component)
Registry Entries:
HKCU\Software\Microsoft\OLE
win32=winhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
win32=winhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
win32=winhost.exe
Bropia.D also checks for debuggers and certain file names including DNSSERV.EXE, WINIS.EXE, WINHOST.EXE and CZ.EXE. The worm does not run on a computer where debugging programs NT-ice and Softice are present. The worm may also set the main volume to "0".
Aliases: Bropia.D, Bropia, WORM_BROPIA.F [Trend], Win32/Bropia.worm.188928 [AhnLab], W32.Bropia.J[Symantec], Worm_Agobot.AJC [Trend], W32.Spybot.Worm [Symantec]
Sources: AhnLab Inc., Feb. 02, 2005
Computer Associates Inc., Feb. 02, 2005
McAfee Inc., Feb. 02, 2005
Symantec Corp., Feb. 02, 2005
Trend Micro Inc., Feb. 02, 2005
Analysis: (iDEFENSE US) Bropia.D is a new worm that should not present a major threat to well managed networks, although the popularity of the MSNM service may increase exposure to compromised computer security and data loss or corruption. If a Bropia.D infection has occured, multiple codes or attacks may be launched against the computer via a possible IRCBot backdoor component.
Detection: Look for the following files that are used by Bropia.D:
• Bedroom-thongs.pif
• Hot.pif
• LMAO.pif
• LOL.scr
• Naked_drunk.pif
• New_webcam.pif
• ROFL.pif
• Underware. Pif
• Webcam.pif
• Sexy.jpg
• [Windows System directory]\msnus.exe
• [Windows System directory]\winhost.exe [IRCBot]
Look for the Windows registry key(s) created by Bropia.D and unexpected network traffic.
Recovery: Remove all files and the Windows registry key modifications associated with this and attendant malicious code threats. Restore corrupted or damaged files with clean back-up copies. Validate the functionality of all anti-virus and security-related software. Enforce strict firewall filtering to help block outbound communications potentially made by the bot component of this worm.
Workaround: Configure e-mail servers and workstations to block file types commonly used by malicious code to spread to other computers. Carefully manage all new files, scanning them with updated anti-virus software using heuristics prior to use.
Ensure that computers are patched against all Microsoft Windows vulnerabilities whenever possible. Minimize network shares, and ensure that those necessary shares are well protected using accepted best practices.
Vendor Fix: Anti-virus vendors will likely release updated signature files in the near future to protect against this malicious code. Some anti-virus applications may detect this malicious code heuristically.
Name of Malicious Code: Bropia.D
Registry Entries or config files Created, Modified, or Deleted: Key: HKCU\Software\Microsoft\OLE
Value:
Key: win32
Value: winhost.exe
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value:
Key: win32
Value: winhost.exe
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Value:
Key: win32
Value: winhost.exe
Aliases: Bropia.D
Bropia
WORM_BROPIA.F [Trend]
Win32/Bropia.worm.188928 [AhnLab]
W32.Bropia.J[Symantec]
Worm_Agobot.AJC [Trend]
W32.Spybot.Worm [Symantec]
Size in Bytes: 184928
Referral IRs: 406325
SF18C
CCNP, MCSE, A+, N+ & HPCC
Tis better to die on your feet than live on your knees!
February 03, 2005@05:02:42 GMT
High Threat Version: 1 2/03/2005@05:04:24 GMT
Flash ID#406822:
Bropia.D Worm Propagating in the Wild via MSN Messenger: Bropia.D is a new variant of the Bropia worm (ID# 406325, Jan. 20, 2005) that propagates via MSN Messenger (MSNM). iDEFENSE rates Bropia.D as a HIGH-level threat because of the following factors:
• MSN Messenger is a popular instant messaging solution.
• MSN Messenger prompts immediate action when a message is received.
• Several reliable sources have indicated that Bropia.D is spreading rapidly in the Far East and the United States at the time of this writing.
• Bropia.D has been updated for stronger social engineering, displaying a humorous chicken image when executed. It also has suggestive file names to prompt users into executing the malicious file.
• Bropia.D installs an Internet Relay Chat (IRC) bot, enabling the attacker to remotely control the infected computer.
Bropia.D requires user interaction to install itself on the target computer and drop its secondary payload. Well trained users are not likely to provide the interaction required to install Bropia.D.
To spread to other computers, Bropia.D attempts to send a copy of itself over MSNM. A copy of the worm is sent to all active MSNM contacts as any of the SCR or PIF files noted below. The end user must save and execute the file for the worm to infect the computer. If executed, multiple files may be installed on the computer.
Fingerprint information for Bropia.D follows:
File Names:
• Bedroom-thongs.pif
• Hot.pif
• LMAO.pif
• LOL.scr
• Naked_drunk.pif
• New_webcam.pif
• ROFL.pif
• Underware. Pif
• Webcam.pif
• Sexy.jpg [Jpg image pops upon execution]
• [Windows System directory]\msnus.exe
• [Windows System directory]\winhost.exe [IRCBot]
File Size: 184,928 bytes (Bropia.D), 124,426 bytes (Bot Component)
Registry Entries:
HKCU\Software\Microsoft\OLE
win32=winhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
win32=winhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
win32=winhost.exe
Bropia.D also checks for debuggers and certain file names including DNSSERV.EXE, WINIS.EXE, WINHOST.EXE and CZ.EXE. The worm does not run on a computer where debugging programs NT-ice and Softice are present. The worm may also set the main volume to "0".
Aliases: Bropia.D, Bropia, WORM_BROPIA.F [Trend], Win32/Bropia.worm.188928 [AhnLab], W32.Bropia.J[Symantec], Worm_Agobot.AJC [Trend], W32.Spybot.Worm [Symantec]
Sources: AhnLab Inc., Feb. 02, 2005
Computer Associates Inc., Feb. 02, 2005
McAfee Inc., Feb. 02, 2005
Symantec Corp., Feb. 02, 2005
Trend Micro Inc., Feb. 02, 2005
Analysis: (iDEFENSE US) Bropia.D is a new worm that should not present a major threat to well managed networks, although the popularity of the MSNM service may increase exposure to compromised computer security and data loss or corruption. If a Bropia.D infection has occured, multiple codes or attacks may be launched against the computer via a possible IRCBot backdoor component.
Detection: Look for the following files that are used by Bropia.D:
• Bedroom-thongs.pif
• Hot.pif
• LMAO.pif
• LOL.scr
• Naked_drunk.pif
• New_webcam.pif
• ROFL.pif
• Underware. Pif
• Webcam.pif
• Sexy.jpg
• [Windows System directory]\msnus.exe
• [Windows System directory]\winhost.exe [IRCBot]
Look for the Windows registry key(s) created by Bropia.D and unexpected network traffic.
Recovery: Remove all files and the Windows registry key modifications associated with this and attendant malicious code threats. Restore corrupted or damaged files with clean back-up copies. Validate the functionality of all anti-virus and security-related software. Enforce strict firewall filtering to help block outbound communications potentially made by the bot component of this worm.
Workaround: Configure e-mail servers and workstations to block file types commonly used by malicious code to spread to other computers. Carefully manage all new files, scanning them with updated anti-virus software using heuristics prior to use.
Ensure that computers are patched against all Microsoft Windows vulnerabilities whenever possible. Minimize network shares, and ensure that those necessary shares are well protected using accepted best practices.
Vendor Fix: Anti-virus vendors will likely release updated signature files in the near future to protect against this malicious code. Some anti-virus applications may detect this malicious code heuristically.
Name of Malicious Code: Bropia.D
Registry Entries or config files Created, Modified, or Deleted: Key: HKCU\Software\Microsoft\OLE
Value:
Key: win32
Value: winhost.exe
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value:
Key: win32
Value: winhost.exe
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Value:
Key: win32
Value: winhost.exe
Aliases: Bropia.D
Bropia
WORM_BROPIA.F [Trend]
Win32/Bropia.worm.188928 [AhnLab]
W32.Bropia.J[Symantec]
Worm_Agobot.AJC [Trend]
W32.Spybot.Worm [Symantec]
Size in Bytes: 184928
Referral IRs: 406325
SF18C
CCNP, MCSE, A+, N+ & HPCC
Tis better to die on your feet than live on your knees!