Tue, Nov 19, 7:38 AM CST

Renderosity Forums / Community Center

All Forums

Welcome to the Community Center Forum

Forum Moderators: wheatpenny Forum Coordinators: Anim8dtoon

Community Center F.A.Q (Last Updated: 2024 Nov 18 11:26 am)

Forum news, updates, events, etc. Please sitemail any notices or questions for the staff to the Forum Moderators.

Subject: warning to all MSN Messenger Users

Khai opened this issue on Feb 02, 2005 · 6 posts
Back to Forum Print
Khai ( ) posted Wed, 02 February 2005 at 7:25 PM · edited Wed, 30 October 2024 at 11:53 PM

not sure what the problem is as yet, but there seems to be a virus spreading via Messenger (this is MSN Messenger not windows messenger) so far I've intercepted 14 attempts at others trying to transfer files to me. the users have no knowledge that Messenger is doing this. please check with the user before hitting accept. if someone can verify if there is a new virus on the scene doing this I'd be greatful!

Khai ( ) posted Wed, 02 February 2005 at 7:45 PM

found it lol it's http://www.f-secure.com/v-descs/bropia_a.shtml " NAME: Bropia.A ALIAS: IM-Worm.Win32.VB.a Summary Bropia.A is a worm that uses MSN messenger for spreading by sending itself as "Drunk_lol.pif", "Webcam_004.pif", "sexy_bedroom.pif", "naked_party.pif" or "love_me.pif". It also drops a variant of Rbot on the infected computer. Detailed Description When run, the worm checks files adaware.exe VB6.EXE lexplore.exe Win32.exe If these files are not found, it drops file oms.exe and executes it. This file is a variant of Rbot. When "oms.exe" is run, it copies itself as "lexplore.exe" and adds the following registry keys: [HKLMSoftwareMicrosoftWindowsCurrentVersionRun] "lexplore" = "lexplore" [HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices] "lexplore" = "lexplore" This ensures that it will be executed at next system startup. The bot can be used as a backdoor, collecting system information, logging keystrokes, relaying spam and for various other purposes. Brobia.A can also disable mouse right button and manipulate Windows mixer volume settings. MSN spreading The worm copies itself in C-directory using one of the following filenames: Drunk_lol.pif Webcam_004.pif sexy_bedroom.pif naked_party.pif love_me.pif Then it attempts to send this file using MSN messenger to all active MSN contacts. The MSN messenger window has to be open on the infected computer's desktop for this to be successful. " watch yourselves.. this one's active and getting more active...

simdragon ( ) posted Wed, 02 February 2005 at 10:00 PM

So as long as you have AdAware, this worm won't try to install itself?

Erlik ( ) posted Thu, 03 February 2005 at 2:58 AM

simdragon, those are all virus files, except VB6 - Visual Basic 6, but it's also a worm if it's located in a different directory. So, if Bropia doesn't find those viruses, it installs itself. It probably means that the authors are the same.

-- erlik

simdragon ( ) posted Thu, 03 February 2005 at 5:06 AM

Ah, I saw that and thought you meant the AdAware program. Thanks for the clarification. =)

hauksdottir ( ) posted Thu, 03 February 2005 at 8:54 PM

Ad-aware.exe the real program uses the hyphen.

Privacy Notice

This site uses cookies to deliver the best experience. Our own cookies make user accounts and other features possible. Third-party cookies are used to display relevant ads and to analyze how Renderosity is used. By using our site, you acknowledge that you have read and understood our Terms of Service, including our Cookie Policy and our Privacy Policy.