Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:WORM_BROPIA.F, W32/Bropia.worm.g
Type:Worm 
Size:188.928 bytes 
Origin: 
Date:02-03-2005 
Damage: 
VDF Version:6.29.00.99 
Danger:Low 
Distribution:Low 

General DescriptionAffected systems:
* Windows 95
* Windows 98
* Windows ME
* Windows NT
* Windows 2000
* Windows XP
* Windows Server 2003

Distribution- it spreads itself over MSN Messenger

- has "denial-of-service" functionality


Technical DetailsIf the Worm/Bropia.F is executed, it creates the following files:

\%SystemDIR%\adaware.exe
\%SystemDIR%\VB6.EXE.exe
\%SystemDIR%\lexplore.exe
\%SystemDIR%\Win32.exe
\%SystemDIR%\winhost.exe
\cz.exe

The file CZ.EXE is simply created, because the 5 files named above aren't already present on the system. It creates the following entries in the Windows Registry:

[HKEY_LOCAL_MACHINE\Software\Microsoft \Windows\CurrentVersion\Run]
"win32" = "winhost.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft \Windows\CurrentVersion\RunServices]
"win32" = "winhost.exe"

[HKEY_CURRENT_USER\Software\Microsoft\ OLE]
"win32" = "winhost.exe"

and copies itself with the following filenames:

\%SystemDIR%\msnus.exe.
C:\LOL.scr
C:\Webcam.pif
C:\bedroom-thongs.pif
C:\naked_drunk.pif
C:\LMAO.pif
C:\ROFL.pif
C:\underware.pif
C:\Hot.pif
C:\new_webcam.pif

Then the worm shows the following picture using the standard web browser:

http://www.antivir.de/fileadmin/viruslab/brobiaf.jpg

The worm checks the contact list of MSN Messenger and sends a copy to each contact, whose status gets changed.

The Windows volume controller is set on '0'.

The Worm/Bropia.F contains functions able to perform denial-of-service attacks.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .