McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

W32/Bropia.worm.p

This page shows details and results of our analysis on the malware W32/Bropia.worm.p

Threat Detail

Malware Type: Virus

Malware Sub-type: Worm

Discovery Date: 2005-02-16

Next Steps:

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4430 (2005-02-18)

Updated DAT

4910 (2006-12-04)

 Minimum Engine

5.1.00

File Length

30,720 bytes

 Description Added

2005-02-18

Description Modified

2005-02-25

Malware Proliferation

Characteristics

-- Update February 25, 2005 --
 The assessment of this threat has been downgraded to Low-Profiled due to a decrease in prevalence.
-- 
This new worm variant propagates through MSN messenger. However, unlike previous variants it does not drop the W32/Sdbot.worm.gen worm.

The worm drops a copy of itself into the C:\ directory using any of the following filenames:

  • c:\Beautiful A**.pif
  • c:\John Kerry as Super Chicken.scr
  • c:\Kool.pif
  • c:\Me & you pic!.pif
  • c:\Me P***ed!.pif
  • c:\sexy.pif
  • c:\She Could Fit her A** in a Teacup.pif
  • c:\she's f***in fit.pif
  • c:\titanic2.jpg.pif

(* replaces text)

A copy of the worm is dropped in %SysDir% as Isass.exe , where %SysDir% is either C:\Windows\System32 or C:\WinNT\System32.

The following registry key is hooked to run the worm at startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    \CurrentVersion\Run "Isass" = %SysDir% \Isass.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    \CurrentVersion\RunServices "Isass" = %SysDir% \Isass.exe

The worm creates a mutex object on the infected machine using the name:

  • .:*-F*k-U-*:.

The following processes are disabled on the victim's machine to prevent the user from manually stopping and removing the worm:

  • Regedit.exe - registry editor
  • Mstask.exe - task manager
  • Msconfig.exe - configuration manager

Symptoms

Upon executing, the worm tries to display an image from:

  • http://www.[blocked].com/lol_f***_you_lol/l0l_53xy_l0l.jpg

A web counter on the page is incremented each time it is accessed. However, at the time of writing, the image is unavailable.

Method of Infection

  • Received as an attachment through MSN Messenger
  • User would need to run the attachment manually in order to get infected.

    • Removal

    All Users :
    Use the latest engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Intrushield

    The MSN file transfer associated with this threat can be detected by enabling the attack (0x40E04C00) 'IM: MSN (.NET) Messenger File Transfer.

    Variants

    United States - English