Security Manifest

Benjamin Johnstone-Anderson, Microsoft MVP - Windows Security

Bropia.G - MSN Users Should Remain Vigilant

We may just now be seeing the first notable outbreak of an MSN Messenger worm.

Bropia.G, known by various other letters depending on the antivirus company, is a variant of the slightly successful Bropia family. Like past variants, .G spreads via MSN Messenger to any contact that changes their status (i.e. Busy to Away). Also like previous variants, it contains a backdoor (a version of Spybot). McAfee has details here.

Previous versions heavily utilized the Windows interface in an attempt to spread. It seems this one is more successful. Secunia rates this worm as a medium risk, as does Trend Micro. Infected users will have the file SEXY.JPG dropped to their root folder. It contains an image that is probably intended to be humorous (courtesy of Trend Micro):

SEXY.JPG

This will be displayed after the worm is executed.

File names for this threat are:

  • Bedroom-thongs.pif
  • Hot.pif
  • LMAO.pif
  • LOL.scr
  • Naked_drunk.pif
  • New_webcam.pif
  • ROFL.pif
  • underware.pif
  • Webcam.pif

Targeted users will see a window like the following when a the worm tries to send itself to them under the name of the infected user (courtesy of Trend Micro, click for larger view):

The worm also tries to spread to users of Windows Messenger. However, this fails, because built-in security features prevent it. The following text will instead be seen, with naked_drunk.pif being the file name:

The transfer of the file “naked_drunk.pif” has been blocked because it could be unsafe.

Worms like these generally spread amongst communities of MSN users, and regionalization of infection is not uncommon. According to Trend Micro statistics, 89.7% of infections so far originate from Asia. In fact, Taiwan alone counts for 60.8% of infections worldwide.

I can, however, attest to this worm being in the wild in the United States, though, which currently accounts for 6% of infections. I received a report from a user two days ago who said her computer was trying to send Webcam.pif. This was after the worm was isolated, but before a description was posted.

Fortunately, like past versions of Bropia, the author did not take the time to add a start-up routine. Rebooting the machine seems to remove this worm from memory. This means that it is likely the worm will become nearly extinct within a few months, depending on how quickly it is currently spreading.

In the meantime, though, it is worth keeping careful watch on.

Posted: Feb 04 2005, 05:05 PM by trafton | with 1 comment(s)
Filed under: , ,