Page 1 of 1


Posted: Mon Feb 21, 2005 11:01 pm
by Syzop
A friend of mine noticed these ones today:

Code: Select all

[22:12:24] <censored-> ownage! htxxxxxtp://!.pif :D 
[22:12:28] <censored-> nice! htxxxxxxxxxxxxtp:// :P 
(without the xxxxx's)
[md5 of file (both identical): e43f7b7e202ab30f6744f6a13f9ce325]
At the time of writing, both sites are up and the virus (file) is not recognized by my f-secure antivirus. results:

Code: Select all

Antivirus	Version	Update	Result
AntiVir	02.21.2005	no virus found
AVG	718	02.21.2005	no virus found
BitDefender	7.0	02.21.2005	no virus found
ClamAV	devel-20050130	02.22.2005	Worm.Bropia.N
DrWeb	4.32b	02.21.2005	Trojan.MulDrop.1673
eTrust-Iris	02.21.2005	no virus found
eTrust-Vet	02.21.2005	no virus found
Fortinet	2.51	02.22.2005	no virus found
F-Prot	3.16a	02.21.2005	no virus found
Ikarus	2.32	02.21.2005	no virus found
Kaspersky	02.21.2005	IM-Worm.Win32.Bropia.j
NOD32v2	1.1005	02.21.2005	probably unknown NewHeur_PE virus
Norman	5.70.10	02.21.2005	no virus found
Panda	8.02.00	02.21.2005	no virus found
Sybari	7.5.1314	02.21.2005	no virus found
Symantec	8.0	02.21.2005	no virus found
Anyone seen these before? Or more interesting: is there some increased activity?
They look similar to what I've seen, but then again... all these things look similar anyway ;).

There could be plenty of other variant msgs/urls, he already left so I couldn't ask :P.

Posted: Tue Feb 22, 2005 12:04 am
by White_Magic
ive seen the site, but the file extensions werent .pif :|

Posted: Tue Mar 29, 2005 8:57 am
by fluid
Like the earlier BROPIA variants, this memory-resident worm spreads copies of itself via MSN messenger.

This worm arrives as a Win32 .EXE file.
Upon execution, this non-encrypted, memory-resident worm drops another file which Trend Micro detects as WORM_RBOT.AOR.

The dropped file can have the filename WINIS.EXE.
Its attributes are set to hidden, system and read-only.
After dropping, WORM_BROPIA.S executes this file.

It drops a JPEG picture file in the root folder, which is usually C:\. It opens the image with Internet Explorer (IE).

It also sets the attributes of this dropped file to read-only, hidden and system to avoid easy detection. After dropping, it executes this file and terminates itself.

The worm propagates using MSN Messenger.
It sends its copy to all contacts found in the MSN Messenger.

It arrives via MSN Messenger with a message that contains the following details:



(message) can be any of the following:

• Huge Turd hahaah! :-P
• LOOK! :-O
• nice! :-P
• ownage! :D
• paris hilton got hacked!! :)
(link) can be any of the following:

• hxxxxp://!.pif
• hxxxxp://
• hxxxxp://
• hxxxxp://
• hxxxxp://
• hxxxxp://!.pif

The links point to the site where the worm can be downloaded.

ref: Trendmicro