cHilli
02-15-2005, 02:34 AM
CCN (http://www.ccnmag.com/news.php?id=3168)
On February 3, Global Hauri announced a high alert for a fast spreading variant of the Bropia-worm that started spreading out last week. The new Bropia mutation, aka 'Worm.Win32.Bropia.188928' is spreading much faster and is far more devastating for MSN messenger users than its predecessors, Bropia A and C.
Symptoms: A file seemingly sent from a "buddy" is loaded with the virus and infects the PC as soon as it's opened. Remote access hijacks the infected PC. Volume differences and right mouse click might indicate the PC user that "something is wrong here."
Causes:
Once the Bropia infects a system, it resides in the Memory and continues spreading thru MSN Messenger. Bropia is a member of the Rbot family of worms affecting the Windows platform, which installs a backdoor on the system and gives an attacker a way of accessing and controlling the infected system remotely, allowing unauthorized remote access to the infected computer via specific IRC channels while running in the background as a service process. Yet another interesting component of the new Bropia is that it is loaded with a Bot virus component that opens the1294 port.
File Names: The new Bropia copies itself into the system folders and creates one of the following file names:
-- LOL.scr Webcam.pif
-- bedroom-thongs.pif
-- naked_drunk.pif
-- LMAO.pif
-- ROFL.pif
-- underware.pif
-- Hot.pif
-- new_webcam.pif
System folders:
The infected system folder can vary, depending on each user's configuration, However, the most common are:
C:\Windows\System (Windows 95/98/Me),
C:\Winnt\System32 (Windows NT/2000),
C:\Windows\System32 (Windows XP)
Remedy:
First, temporarily block out 1294 ports with any firewall. This is not a "spreading" port but the PC might receive an attack order from this port.
"Once you have this virus you are in big trouble. Problem is, the infected file looks just like a message from one of your buddies. The only prevention is to not open any files that come through the messenger and get a good antivirus software. For example, Global Hauri's antivirus engine ViRobot immediately destroys the malicious code even before it can install itself. If not treated, there is a strong likelihood that the virus is 'timed' to launch further attacks in 15 days," explains Eric Kwon, antivirus specialist and CEO of Global Hauri.
On February 3, Global Hauri announced a high alert for a fast spreading variant of the Bropia-worm that started spreading out last week. The new Bropia mutation, aka 'Worm.Win32.Bropia.188928' is spreading much faster and is far more devastating for MSN messenger users than its predecessors, Bropia A and C.
Symptoms: A file seemingly sent from a "buddy" is loaded with the virus and infects the PC as soon as it's opened. Remote access hijacks the infected PC. Volume differences and right mouse click might indicate the PC user that "something is wrong here."
Causes:
Once the Bropia infects a system, it resides in the Memory and continues spreading thru MSN Messenger. Bropia is a member of the Rbot family of worms affecting the Windows platform, which installs a backdoor on the system and gives an attacker a way of accessing and controlling the infected system remotely, allowing unauthorized remote access to the infected computer via specific IRC channels while running in the background as a service process. Yet another interesting component of the new Bropia is that it is loaded with a Bot virus component that opens the1294 port.
File Names: The new Bropia copies itself into the system folders and creates one of the following file names:
-- LOL.scr Webcam.pif
-- bedroom-thongs.pif
-- naked_drunk.pif
-- LMAO.pif
-- ROFL.pif
-- underware.pif
-- Hot.pif
-- new_webcam.pif
System folders:
The infected system folder can vary, depending on each user's configuration, However, the most common are:
C:\Windows\System (Windows 95/98/Me),
C:\Winnt\System32 (Windows NT/2000),
C:\Windows\System32 (Windows XP)
Remedy:
First, temporarily block out 1294 ports with any firewall. This is not a "spreading" port but the PC might receive an attack order from this port.
"Once you have this virus you are in big trouble. Problem is, the infected file looks just like a message from one of your buddies. The only prevention is to not open any files that come through the messenger and get a good antivirus software. For example, Global Hauri's antivirus engine ViRobot immediately destroys the malicious code even before it can install itself. If not treated, there is a strong likelihood that the virus is 'timed' to launch further attacks in 15 days," explains Eric Kwon, antivirus specialist and CEO of Global Hauri.