The Tridecadal Korean (astralblue) wrote,
The Tridecadal Korean
astralblue

PSA: Virus Alert

Since I know some of you guys use MSN Messenger...

Variants of W32.Bropia virus are spreading quickly over MSN Messenger and Windows Messenger.

Do not accept any .pif files.  If you did, do not open or run it.

Following is a summary of virus information taken from Symantec's webpage about variant type C:

When W32.Bropia.C is executed, it performs the following actions:

  1. Opens and locks the following files to prevent these programs from being started:

    • %System%\taskmgr.exe
    • %System%\cmd.exe

    Note: %System% is a variable that refers to the System folder.  By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Searches for the following files:

    • %System%\winexec32.exe
    • %System%\adaware32.exe
    • %System%\VB6.EXE
    • %System%\iexplore.exe

  3. If the files are not present on the computer, the worm drops and executes the following file:

    C:\cz.exe

    Note: The dropped file is detected as a variant of W32.Spybot.Worm.

  4. Copies itself to the C drive using one of the following file names:

    • LOL.scr
    • Webcam.pif
    • hahahaha.pif
    • me_2005.pif
    • sister.pif

  5. Attempts to send itself through MSN Messenger.  It monitors for any change in the status of MSN Messenger contacts.

  6. Disables the right mouse button.

Note: Different antivirus program vendors report different .exe and .pif filenames which it stores itself under and also transmits itself as.  I have also seen other .pif filenames being offered to me.  All such offered files were .pifs, though.

Subscribe

  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 3 comments