Skip to content
Provate i nostri servizi di consulenza e di assistenza.
Formazione: partecipate alla formazione sui nostri prodotti.
Malware type: Worm
Aliases: W32/Kelvir.worm.gen (McAfee), W32.Kelvir (Symantec), Worm/Bropia.AD (Avira), W32/Bropia-W (Sophos),
In the wild: Yes
Platform: Windows 95, 98, ME, NT, 2000, XP
Overall risk rating:
Upon execution, this worm drops a copy of itself as MSNADP32.EXE in the Windows system folder. It also drops a file, PWMGR.EXE, which is detected by Trend Micro as WORM_RBOT.BMR, in the same folder.
It propagates via MSN Messenger. It sends an instant message to all online MSN Messenger contacts of an affected user. The message encourages the user to click a link, which is suspected to download a copy of the worm. However, as of this writing, the said link is inaccessible.
The said message is as follows:
lmao you dumbass!
address of the sender}
The link spoofs the sender's email address.
Below is a screenshot of the message:
This worm also searches for the ICQ shared files folder, where it drops copies of itself using a list of file names.
For additional information about this threat, see:
Description created: May. 21, 2005 4:35:37 AM GMT -0800
File type: PE
Memory resident: Yes
Size of malware: 188,416 Bytes
Initial samples received on: May 21, 2005
Related to: WORM_RBOT.BMR
Installation and Autostart
It creates the following autostart entry to ensure its automatic execution at every system startup:
MSN Administration For Windows = "msnadp32.exe"
Propagation via MSN Messenger
This worm propagates via MSN Messenger. It sends an instant message to all online MSN Messenger contacts of an affected user. The message encourages the user to click a link, which is suspected to download a copy of the worm. However, as of this writing, the said link is inaccessible.
Propagation via Peer-to-peer (P2P) Network
This worm searches for the ICQ shared files folder, where it drops copies of itself using following file names.
This worm runs on Windows 95, 98, ME, NT, 2000, and XP.
Analysis By: Luis Antonio P. Magisa
Minimum scan engine version needed: 6.810
Pattern file needed: 2.638.13
Pattern release date: May 21, 2005
Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.
(Note: Please refer also to the removal instruction of WORM_RBOT.BMR.)
Terminating the Malware Program
This procedure terminates the running malware process.
Editing the Registry
For detailed information about the registry and Registry Editor, refer to the following articles from Microsoft:
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
Additional Windows ME/XP Cleaning Instructions
Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.
Users running other Windows versions can proceed with the succeeding procedure sets.
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as WORM_BROPIA.W. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micros free online virus scanner.
Trend Micro offers best-of-breed antivirus and content-security solutions for your
small and medium business,
or home PC.
Mettetevi in contatto con noi su