New Bropia worm rated
02/03/05
SEOUL, Feb. 3 — Korean security specialists at Global Hauri are warning of a new variant of the recently discovered Bropia worm, which is more dangerous than its predecessor.
Symptoms include a file, seemingly sent from a "buddy," which is loaded with the virus and infects the PC as soon as it opened. Remote access hijacks the infected PC. Volume differences and right mouse click might indicate the PC user that something is wrong. Once Bropia infects a system, it resides in the memory and continues spreading through MSN Messenger. Bropia is a member of the Rbot family of worms affecting the Windows platform, which installs a back door on the system and gives an attacker a way of accessing and controlling the infected system remotely. That would allow unauthorized remote access to the infected computer via specific IRC channels while running in the background as a service process. Another interesting component is that the new Bropia is loaded with a Bot virus component that opens the 1294 port. The new Bropia copies itself into the system folders and creates one of the following file names: LOL.scr, Webcam.pif, bedroom-thongs.pif, naked_drunk.pif, LMAO.pif, ROFL.pif, underware.pif, Hot.pif or webcam.pif The infected system folder can vary, depending on each user's configuration, with the most common being C:\Windows\System (Windows 95/98/Me); C:\Winnt\System32 (Windows NT/2000) and C:\Windows\System32 (Windows XP). The worm can be temporarily disabled bly blocking the 1294 port with any firewall. This is not a "spreading" port but the PC might receive an attack order from this port. |