This is SERIOUS! Do NOT accept any files by IM right now. From ANYONE.
Upon infection, the worm attempts to spread itself through the host's MSN Messenger contact list. In addition, the worm alters the Windows's host file, adding more than 900 URLs, reportedly Asian pornography and gaming sites.
The names sent are going to vary greatly as you can see. SOME of the ones sent are:
LMAO, LOL, naked drunk, underware, and ROFL.
sexy_bedroom.pif, drunk_lol.pif, naked_party.pif
webcam_(random number).pif, love_me.pif and similar looking names.
Do not accept files right now from anyone, esp if they don't confirm to you that they are sending you something.
Screenshots taken Feb 2, during file transfer attempts. Always click Decline!
SYMPTOMS : Does your right mouse button seem broken? Chances are high you've been infected with a more recent version of the earlier reported Bropia.A worm.
W32.Bropia.C, also known as IM-Worm.Win32.VB.c and WORM_BROPIA.D, is a worm that travels through MSN Messenger and drops a variant of W32.Spybot.Worm.
The worm propagates itself under the following filenames: hahahaha.pif, LOL.scr, Webcam.pif, me_2005.and sister.pif, with each file being 196,608 bytes (about 192kb). Do NOT accept, let alone execute these files whatsoever!.
Bropia.C drops and executes the file cz.exe in your c:\ directory, detected as a variant of the W32.Spybot.Worm backdoor known from KaZaA and mIRC.
We recommend you to update and run your antivirus software as soon as possible. More information is available over at Symantec
Description:
As of February 2, 2005, 6:55 PM (Pacific Standard Time/GMT -8:00), TrendLabs has declared a Medium-Risk alert to control the spread of this new WORM_BROPIA variant that is spreading in Korea, China, Taiwan, and the United States.
This memory-resident worm attempts to propagate itself via MSN Messenger by sending a copy of itself using different file names. Thus, users of the said messaging program should not accept or open these files to avoid infection.
As a general rule, MSN Messenger users should avoid accepting file transfers coming from an untrusted source.
This worm also drops and executes the file SEXY.JPG in the root folder. The said file displays the following image:
It also drops a bot program, which Trend Micro detects the said file as WORM_AGOBOT.AJC.
Unlike its previous variants, this worm also has an anti-debugging technique. That is, this worm will not run if any of the following debugging applications are present on the affected system:
FIX for this Worm:
Take care downloading files even from folks you know, check out with folks on messenger just what it is they are sending. Don't get caught out.