These are old archives. They are kept for historic purposes only.
Post Reply
UnrealIRCd head coder
Posts: 1961
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl


Post by Syzop »

A friend of mine noticed these ones today:

Code: Select all

[22:12:24] <censored-> ownage! htxxxxxtp://!.pif :D 
[22:12:28] <censored-> nice! htxxxxxxxxxxxxtp:// :P 
(without the xxxxx's)
[md5 of file (both identical): e43f7b7e202ab30f6744f6a13f9ce325]
At the time of writing, both sites are up and the virus (file) is not recognized by my f-secure antivirus. results:

Code: Select all

Antivirus	Version	Update	Result
AntiVir	02.21.2005	no virus found
AVG	718	02.21.2005	no virus found
BitDefender	7.0	02.21.2005	no virus found
ClamAV	devel-20050130	02.22.2005	Worm.Bropia.N
DrWeb	4.32b	02.21.2005	Trojan.MulDrop.1673
eTrust-Iris	02.21.2005	no virus found
eTrust-Vet	02.21.2005	no virus found
Fortinet	2.51	02.22.2005	no virus found
F-Prot	3.16a	02.21.2005	no virus found
Ikarus	2.32	02.21.2005	no virus found
Kaspersky	02.21.2005	IM-Worm.Win32.Bropia.j
NOD32v2	1.1005	02.21.2005	probably unknown NewHeur_PE virus
Norman	5.70.10	02.21.2005	no virus found
Panda	8.02.00	02.21.2005	no virus found
Sybari	7.5.1314	02.21.2005	no virus found
Symantec	8.0	02.21.2005	no virus found
Anyone seen these before? Or more interesting: is there some increased activity?
They look similar to what I've seen, but then again... all these things look similar anyway ;).

There could be plenty of other variant msgs/urls, he already left so I couldn't ask :P.
Posts: 267
Joined: Tue Jan 18, 2005 3:24 pm
Location: Scotland - United Kingdom

Post by White_Magic »

ive seen the site, but the file extensions werent .pif :|
i spend 4 hrs a day gaming and 14hrs on irc, for 5days a week, im not an addict :D
Posts: 40
Joined: Fri Mar 18, 2005 4:16 am
Location: NYC

Post by fluid »

Like the earlier BROPIA variants, this memory-resident worm spreads copies of itself via MSN messenger.

This worm arrives as a Win32 .EXE file.
Upon execution, this non-encrypted, memory-resident worm drops another file which Trend Micro detects as WORM_RBOT.AOR.

The dropped file can have the filename WINIS.EXE.
Its attributes are set to hidden, system and read-only.
After dropping, WORM_BROPIA.S executes this file.

It drops a JPEG picture file in the root folder, which is usually C:\. It opens the image with Internet Explorer (IE).

It also sets the attributes of this dropped file to read-only, hidden and system to avoid easy detection. After dropping, it executes this file and terminates itself.

The worm propagates using MSN Messenger.
It sends its copy to all contacts found in the MSN Messenger.

It arrives via MSN Messenger with a message that contains the following details:



(message) can be any of the following:

• Huge Turd hahaah! :-P
• LOOK! :-O
• nice! :-P
• ownage! :D
• paris hilton got hacked!! :)
(link) can be any of the following:

• hxxxxp://!.pif
• hxxxxp://
• hxxxxp://
• hxxxxp://
• hxxxxp://
• hxxxxp://!.pif

The links point to the site where the worm can be downloaded.

ref: Trendmicro
Post Reply