This is SERIOUS! Do NOT accept any files by IM right now. From ANYONE.

Upon infection, the worm attempts to spread itself through the host's MSN Messenger contact list. In addition, the worm alters the Windows's host file, adding more than 900 URLs, reportedly Asian pornography and gaming sites.

The names sent are going to vary greatly as you can see. SOME of the ones sent are:

LMAO, LOL, naked drunk, underware, and ROFL.

sexy_bedroom.pif, drunk_lol.pif, naked_party.pif

webcam_(random number).pif, love_me.pif and similar looking names.

Do not accept files right now from anyone, esp if they don't confirm to you that they are sending you something.

Screenshots taken Feb 2, during file transfer attempts. Always click Decline!

SYMPTOMS : Does your right mouse button seem broken? Chances are high you've been infected with a more recent version of the earlier reported Bropia.A worm.

W32.Bropia.C, also known as IM-Worm.Win32.VB.c and WORM_BROPIA.D, is a worm that travels through MSN Messenger and drops a variant of W32.Spybot.Worm.

The worm propagates itself under the following filenames: hahahaha.pif, LOL.scr, Webcam.pif, me_2005.and sister.pif, with each file being 196,608 bytes (about 192kb). Do NOT accept, let alone execute these files whatsoever!.

Bropia.C drops and executes the file cz.exe in your c:\ directory, detected as a variant of the W32.Spybot.Worm backdoor known from KaZaA and mIRC.

We recommend you to update and run your antivirus software as soon as possible. More information is available over at Symantec

Description:

As of February 2, 2005, 6:55 PM (Pacific Standard Time/GMT -8:00), TrendLabs has declared a Medium-Risk alert to control the spread of this new WORM_BROPIA variant that is spreading in Korea, China, Taiwan, and the United States.

This memory-resident worm attempts to propagate itself via MSN Messenger by sending a copy of itself using different file names. Thus, users of the said messaging program should not accept or open these files to avoid infection.

As a general rule, MSN Messenger users should avoid accepting file transfers coming from an untrusted source.

This worm also drops and executes the file SEXY.JPG in the root folder. The said file displays the following image:

It also drops a bot program, which Trend Micro detects the said file as WORM_AGOBOT.AJC.

Unlike its previous variants, this worm also has an anti-debugging technique. That is, this worm will not run if any of the following debugging applications are present on the affected system:

NT-ice
Softice

FIX for this Worm:

http://www.sarc.com/avcenter/venc/data/w32.bropia.c.html

Take care downloading files even from folks you know, check out with folks on messenger just what it is they are sending. Don't get caught out.

From the Symantec site

W32.Bropia

Discovered on: January 19, 2005 <TIME>

Last Updated on: January 20, 2005 09:30:45 AM

W32.Bropia is a worm that spreads via Microsoft's MSN Messenger instant message program and drops a variant of W32.Spybot.Worm.

Note: Virus definitions version 70119ao (extended version 2005/1/19 rev. 40) or greater are required to detect both threats.

Also Known As: Win32.Bropia.A [Computer Associates], Bropia.A [F-Secure], IM-Worm.Win32.VB.a [Kaspersky Lab], W32/Bropia.worm [McAfee], W32/Bropia-A [Sophos], WORM_BROPIA.A [Trend Micro]

Type: Worm

Infection Length: 159,744 bytes

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Important Announcement The MSN Groups service will close in February 2009. You can move your group to Multiply, MSN’s partner for online groups. Learn More
poetsgallery	[email protected]