lalala...

These are old archives. They are kept for historic purposes only.
Post Reply
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

lalala...

Post by Syzop »

A friend of mine noticed these ones today:

Code: Select all

[22:12:24] <censored-> ownage! htxxxxxtp://members.chello.nl/h.keuth/w00t!.pif :D 
[22:12:28] <censored-> nice! htxxxxxxxxxxxxtp://members.chello.nl/a.sinnema1/sexy-bitch.pif :P 
(without the xxxxx's)
[md5 of file (both identical): e43f7b7e202ab30f6744f6a13f9ce325]
At the time of writing, both sites are up and the virus (file) is not recognized by my f-secure antivirus.

virustotal.com results:

Code: Select all

Antivirus	Version	Update	Result
AntiVir	6.29.0.16	02.21.2005	no virus found
AVG	718	02.21.2005	no virus found
BitDefender	7.0	02.21.2005	no virus found
ClamAV	devel-20050130	02.22.2005	Worm.Bropia.N
DrWeb	4.32b	02.21.2005	Trojan.MulDrop.1673
eTrust-Iris	7.1.194.0	02.21.2005	no virus found
eTrust-Vet	11.7.0.0	02.21.2005	no virus found
Fortinet	2.51	02.22.2005	no virus found
F-Prot	3.16a	02.21.2005	no virus found
Ikarus	2.32	02.21.2005	no virus found
Kaspersky	4.0.2.24	02.21.2005	IM-Worm.Win32.Bropia.j
NOD32v2	1.1005	02.21.2005	probably unknown NewHeur_PE virus
Norman	5.70.10	02.21.2005	no virus found
Panda	8.02.00	02.21.2005	no virus found
Sybari	7.5.1314	02.21.2005	no virus found
Symantec	8.0	02.21.2005	no virus found
Anyone seen these before? Or more interesting: is there some increased activity?
They look similar to what I've seen, but then again... all these things look similar anyway ;).

There could be plenty of other variant msgs/urls, he already left so I couldn't ask :P.
White_Magic
Posts: 267
Joined: Tue Jan 18, 2005 3:24 pm
Location: Scotland - United Kingdom

Post by White_Magic »

ive seen the site, but the file extensions werent .pif :|
i spend 4 hrs a day gaming and 14hrs on irc, for 5days a week, im not an addict :D
fluid
Posts: 40
Joined: Fri Mar 18, 2005 4:16 am
Location: NYC

Post by fluid »

Like the earlier BROPIA variants, this memory-resident worm spreads copies of itself via MSN messenger.

This worm arrives as a Win32 .EXE file.
Upon execution, this non-encrypted, memory-resident worm drops another file which Trend Micro detects as WORM_RBOT.AOR.

The dropped file can have the filename WINIS.EXE.
Its attributes are set to hidden, system and read-only.
After dropping, WORM_BROPIA.S executes this file.

It drops a JPEG picture file in the root folder, which is usually C:\. It opens the image with Internet Explorer (IE).

It also sets the attributes of this dropped file to read-only, hidden and system to avoid easy detection. After dropping, it executes this file and terminates itself.

The worm propagates using MSN Messenger.
It sends its copy to all contacts found in the MSN Messenger.

It arrives via MSN Messenger with a message that contains the following details:

(message)(link)

======================================================

(message) can be any of the following:

• CHECK THIS LOL!
• CUSTOM
• Huge Turd hahaah! :-P
• LOOK! :-O
• nice! :-P
• ownage! :D
• paris hilton got hacked!! :)
(link) can be any of the following:

• hxxxxp://members.chello.nl/a.sinnema1/FUNNY-SHIT!.pif
• hxxxxp://members.chello.nl/a.sinnema1/scary.pif
• hxxxxp://members.chello.nl/a.sinnema1/sexy-bitch.pif
• hxxxxp://members.chello.nl/h.keuth/massive-turd.pif
• hxxxxp://members.chello.nl/h.keuth/paris-hilton.pif
• hxxxxp://members.chello.nl/h.keuth/w00t!.pif


The links point to the site where the worm can be downloaded.

ref: Trendmicro
Post Reply