Skip to content

WORM_BROPIA.W

Panoramica e descrizione

Malware type: Worm

Aliases: W32/Kelvir.worm.gen (McAfee), W32.Kelvir (Symantec), Worm/Bropia.AD (Avira), W32/Bropia-W (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

Upon execution, this worm drops a copy of itself as MSNADP32.EXE in the Windows system folder. It also drops a file, PWMGR.EXE, which is detected by Trend Micro as WORM_RBOT.BMR, in the same folder.

It propagates via MSN Messenger. It sends an instant message to all online MSN Messenger contacts of an affected user. The message encourages the user to click a link, which is suspected to download a copy of the worm. However, as of this writing, the said link is inaccessible.

The said message is as follows:

lmao you dumbass!
http://freebu{BLOCKED}yicons.thinki.co.uk/pics.php?user={email
address of the sender}

The link spoofs the sender's email address.

Below is a screenshot of the message:

This worm also searches for the ICQ shared files folder, where it drops copies of itself using a list of file names.

For additional information about this threat, see:

Description created: May. 21, 2005 4:35:37 AM GMT -0800


Dettagli tecnici

File type: PE

Memory resident:  Yes

Size of malware: 188,416 Bytes

Initial samples received on: May 21, 2005

Related toWORM_RBOT.BMR

Details:

Installation and Autostart

Upon execution, this worm drops a copy of itself as MSNADP32.EXE in the Windows system folder. It also drops a file, PWMGR.EXE, which is detected by Trend Micro as WORM_RBOT.BMR, in the same folder.

It creates the following autostart entry to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
MSN Administration For Windows = "msnadp32.exe"

Propagation via MSN Messenger

This worm propagates via MSN Messenger. It sends an instant message to all online MSN Messenger contacts of an affected user. The message encourages the user to click a link, which is suspected to download a copy of the worm. However, as of this writing, the said link is inaccessible.

The said message is as follows:

lmao you dumbass!
http://freebu{BLOCKED}yicons.thinki.co.uk/pics.php?user={email
address of the sender}

The link spoofs the sender's email address.

Below is a screenshot of the message:

Propagation via Peer-to-peer (P2P) Network

This worm searches for the ICQ shared files folder, where it drops copies of itself using following file names.

  • 3 Hack.exe
  • Adult ID Check.exe
  • Aim Flooder.exe
  • Aim Hacker.exe
  • AIMHacks.exe
  • Anarchist CookBook.exe
  • AVPDVDRip.mpg.exe
  • BF1942FULL.exe
  • BFVietnam.exe
  • BigBoobs.exe
  • BigBoobsXXX.exe
  • Britney XXX.exe
  • broadband wizard.exe
  • cable accelerator.exe
  • cable uncapper.exe
  • CallofDutyFULL.exe
  • Cool_Games.exe
  • CoolGames.exe
  • CounterStrike.exe
  • CounterStrikeSOURCE.exe
  • CounterStrikeSourceFULL.exe
  • Cracker Game.exe
  • Cracks Collections.Exe
  • Credit Card.exe
  • Delphi6 Keygen.exe
  • DOOM3_FULL.exe
  • DownLoad Accelerator Plus.exe
  • Dreamcast BootDisc.exe
  • Dropitlikeitzhot.exe
  • DVDRipper.exe
  • Easy CD Creator 5.exe
  • email hacker.exe
  • exeeenSaver.exe
  • FBISecretDocuments.exe
  • F-ProtAV-Full.exe
  • FTP Commander.exe
  • Ftp Cracker.exe
  • Ftp Hacker.exe
  • FuckedHARDXXX.exe
  • Gladiator (Movie) - Full Downloader.exe
  • GTAViceCity.exe
  • Hacker Kit.exe
  • Hacker.exe
  • HackingWebpage.exe
  • HackingWindowsXP.exe
  • HackingXP.exe
  • HalfLife2_FULL.exe
  • HalfLife2FULL.exe
  • HalfLife2FULL+Crack.exe
  • Halflife2KeyGen.exe
  • Hotmail Account Hacker.exe
  • Hotmail Hack.exe
  • Hotmail Hacker.exe
  • Hotmail Password Cracker.exe
  • HotmailHackerKit.exe
  • HowtoHack.exe
  • How-to-Hack.exe
  • Icq Ad Remover.exe
  • Icq Banner Remover.exe
  • icq hacker.exe
  • icq ip patch.exe
  • Ident Faker.exe
  • Ident Spoofer.exe
  • IE6 Final.exe
  • InDaClub.exe
  • irc flooder.exe
  • IRobotDVDRip.mpg.exe
  • Jasc Paint Shop Pro 7 (Full).exe
  • JeniferLopezNUDE.exe
  • Johnny English (Movie) - Full Downloader.exe
  • Kazaa ad remover.exe
  • LanGuard NetScan.exe
  • Linux RootKit.exe
  • Matrix Reloaded.exe
  • McafeeAntiVirus.exe
  • MedalofHonorPacificAssultFULL.exe
  • Microsoft Office Full.exe
  • MiddleSchoolPornXXX.exe
  • Mirc6 Full.exe
  • mirc6 keygen.exe
  • Mp3 Maker Pro.exe
  • mp3 to wav full.exe
  • MS_Frontpage.exe
  • Msn Hacker.exe
  • MSN Messenger Password Stealer.exe
  • NeroBurningRom 6.exe
  • Norton AntiVirus Full.exe
  • Norton Keygen-All Vers.exe
  • NortonAntirVirus2005FULL.exe
  • NortonAntiVirus2005FULL.exe
  • NortonPersonalFirewallFULL.exe
  • NudeCheerleaders.exe
  • OfficeXP sp2 express.exe
  • PasswordCrackers.exe
  • PCChillen.exe
  • pE packer.exe
  • Peck.exe
  • PhotoShopCS8.0_Crack.exe
  • PipeBombTutorial.exe
  • PreTeenBlowJob.exe
  • PreTeenSEX.exe
  • PreTeenXXX.exe
  • PS1 BootDisc.exe
  • PS2 BootDisc.exe
  • PSXCopy Full.exe
  • Salford.exe
  • Serials 2k.exe
  • Serials Collections.exe
  • SexyChickXXXHarcore.exe
  • SexyTeen.exe
  • Simpsons.exe
  • SluttyCheerleaders.exe
  • SohposAntiVirusFULL.exe
  • Sopohs_Anti_Virus.exe
  • SpywareKiller.exe
  • SteelCap.exe
  • StylesXP.exe
  • Sub7 Master Password.exe
  • Sub7 Remover.exe
  • SwordFish (Movie) - Full Downloader.exe
  • SxyTeenagePorn.exe
  • SxyTeenageSEX.exe
  • SxyTeenFuckedHARD.exe
  • SxyTeenGetsItuptheASS.exe
  • TeenSexHardcore.exe
  • Trillian Patcher.exe
  • Trillian Pro Full.exe
  • Trojan Remover.exe
  • uin2ip.exe
  • VS.Net Patcher.exe
  • Wadle.exe
  • WallPapersXXX.exe
  • webpage hacker.exe
  • WebpageHackingTools.exe
  • WebRootSpySweeper.exe
  • Westdene.exe
  • Win Proxy.exe
  • Win Shares Cracker.exe
  • Win98 Hacker.exe
  • Win-RAR-FULL.exe
  • Win-RAR-FULL+CRACK.exe
  • WinXP Keygen.exe
  • WinXPHacking.exe
  • www hacker kit.exe
  • XPHackes.exe
  • xxx exeeensaver.exe
  • XXX Virtual Sex.exe
  • XXXCollection.exe
  • XXXHighSchoolSluts.exe
  • XXXMagaPack.exe
  • XXXTeenSexXXX.exe
  • XXXWallpaperCollection.exe
  • Yahoo Hacker.exe
  • Zip_RAR_PWCracker.exe
  • ZoneAlarm Pro Full.exe
  • ZoneAlarm.exe

Platform

This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

Analysis By: Luis Antonio P. Magisa


Soluzione

Minimum scan engine version needed: 6.810

Pattern file needed: 2.638.13

Pattern release date: May 21, 2005


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

(Note: Please refer also to the removal instruction of WORM_RBOT.BMR.)

Terminating the Malware Program

This procedure terminates the running malware process.

  1. Open Windows Task Manager.
    On Windows 95, 98, and ME, press
    CTRL+ALT+DELETE
    On Windows NT, 2000, and XP, press
    CTRL+SHIFT+ESC, then click the Processes tab.
  2. In the list of running programs*, locate the process:
    MSNADP32.EXE
  3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. To check if the malware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.

*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions. If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Editing the Registry

For detailed information about the registry and Registry Editor, refer to the following articles from Microsoft:

  1. About the Registry and How to Use Registry Editor
  2. HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows Me
  3. HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
  4. HOW TO: Back Up, Edit, and Restore the Registry in Windows XP
  5. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    MSN Administration For Windows = "msnadp32.exe"
  4. Close Registry Editor.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure sets.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_BROPIA.W. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micros free online virus scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.


Social media

Mettetevi in contatto con noi su