These are old archives. They are kept for historic purposes only.
- UnrealIRCd head coder
- Posts: 1980
- Joined: Sat Mar 06, 2004 8:57 pm
- Location: .nl
A friend of mine noticed these ones today:
Code: Select all
[22:12:24] <censored-> ownage! htxxxxxtp://members.chello.nl/h.keuth/w00t!.pif :D
[22:12:28] <censored-> nice! htxxxxxxxxxxxxtp://members.chello.nl/a.sinnema1/sexy-bitch.pif :P
(without the xxxxx's)
[md5 of file (both identical): e43f7b7e202ab30f6744f6a13f9ce325]
At the time of writing, both sites are up and the virus (file) is not recognized by my f-secure antivirus.
Code: Select all
Antivirus Version Update Result
AntiVir 188.8.131.52 02.21.2005 no virus found
AVG 718 02.21.2005 no virus found
BitDefender 7.0 02.21.2005 no virus found
ClamAV devel-20050130 02.22.2005 Worm.Bropia.N
DrWeb 4.32b 02.21.2005 Trojan.MulDrop.1673
eTrust-Iris 184.108.40.206 02.21.2005 no virus found
eTrust-Vet 220.127.116.11 02.21.2005 no virus found
Fortinet 2.51 02.22.2005 no virus found
F-Prot 3.16a 02.21.2005 no virus found
Ikarus 2.32 02.21.2005 no virus found
Kaspersky 18.104.22.168 02.21.2005 IM-Worm.Win32.Bropia.j
NOD32v2 1.1005 02.21.2005 probably unknown NewHeur_PE virus
Norman 5.70.10 02.21.2005 no virus found
Panda 8.02.00 02.21.2005 no virus found
Sybari 7.5.1314 02.21.2005 no virus found
Symantec 8.0 02.21.2005 no virus found
Anyone seen these before? Or more interesting: is there some increased activity?
They look similar to what I've seen, but then again... all these things look similar anyway ;).
There could be plenty of other variant msgs/urls, he already left so I couldn't ask :P.
- Posts: 267
- Joined: Tue Jan 18, 2005 3:24 pm
- Location: Scotland - United Kingdom
ive seen the site, but the file extensions werent .pif
i spend 4 hrs a day gaming and 14hrs on irc, for 5days a week, im not an addict
- Posts: 40
- Joined: Fri Mar 18, 2005 4:16 am
- Location: NYC
Like the earlier BROPIA variants, this memory-resident worm spreads copies of itself via MSN messenger.
This worm arrives as a Win32 .EXE file.
Upon execution, this non-encrypted, memory-resident worm drops another file which Trend Micro detects as WORM_RBOT.AOR.
The dropped file can have the filename WINIS.EXE.
Its attributes are set to hidden, system and read-only.
After dropping, WORM_BROPIA.S executes this file.
It drops a JPEG picture file in the root folder, which is usually C:\. It opens the image with Internet Explorer (IE).
It also sets the attributes of this dropped file to read-only, hidden and system to avoid easy detection. After dropping, it executes this file and terminates itself.
The worm propagates using MSN Messenger.
It sends its copy to all contacts found in the MSN Messenger.
It arrives via MSN Messenger with a message that contains the following details:
(message) can be any of the following:
â€¢ CHECK THIS LOL!
â€¢ Huge Turd hahaah! :-P
â€¢ LOOK! :-O
â€¢ nice! :-P
â€¢ ownage! :D
â€¢ paris hilton got hacked!! :)
(link) can be any of the following:
The links point to the site where the worm can be downloaded.