IM-Worm.Win32.VB.a (Kaspersky Lab)
is also known as:
W32.Bropia (Symantec), Win32.HLLW.Bropia (Doctor Web), W32/Bropia-A (Sophos), Win32/Bropia.A.worm (RAV), WORM_BROPIA.A (Trend Micro), Worm/RBot.119296 (H+BEDV), W32/Bropia.A (FRISK), Worm/VB.3.W (Grisoft), Win32.Worm.Bropia.A (SOFTWIN), Worm.Bropia.A (ClamAV), W32/Bropia.A.worm (Panda), Win32/VB.NBF (Eset)
| Detection added |
Jan 21 2005 |
| Description added |
Jan 27 2005 |
| Behavior |
IM Worm |
This worm spreads via the Internet using MSN Messenger. It is written in Visual
Basic and is approximately 160KB in size. The worm contains a backdoor program,
Backdoor.Win32.Rbot.fy which it will extract from itself and launch on the victim
machine.
Installation
Once launched, the worm copies itself to the root directory (as a rule, C:\)
under one of the following names:
Drunk_lol.pif
love_me.pif
naked_party.pif
sexy_bedroom.pif
Webcam_004.pif
The worm also creates a file in the Windows system directory which will have
one of the names from the list below:
%System%\adaware.exe
%System%\lexplore.exe
%System%\VB6.EXE
%System%\Win32.exe
This file contains the backdoor program.
The worm then registers this file in the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKCU\Software\Microsoft\OLE]
"lexplore" = "lexplore.exe"
Propagation via MSN
When launched, the worm accesses the MSN Messenger contact list and sends
itself to all contacts under one of the following names:
Drunk_lol.pif
love_me.pif
naked_party.pif
sexy_bedroom.pif
Webcam_004.pif
Payload
The worm will prevent the following files from being executed:
cmd.exe
taskmgr.exe
The worm will also prevent the user from accessing context menu functions
by via the right mouse button.
