McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Bropia (Symantec)

• Win32.Bropia.A (CA)

Characteristics

This worm may spread via MSN Messenger with the following filenames:

• Drunk_lol.pif
• Webcam_004.pif
• sexy_bedroom.pif
• naked_party.pif
• love_me.pif

When run, the worm attempts to send a file to a contacts who's status has changed, by hooking the user interface Windows and buttons.  This may not be an effective way for the worm to spread in many situations.

Symptoms

The worm also attempts to disable CMD.EXE, TASKMGR.EXE, and the ability to use the RIGHT-CLICK of the mouse, and the CTRL-ALT-DELETE key combination.

It installs (drops) a new W32/Gaobot.worm variant to C:\oms.exe (119,296 bytes)

The worm copies itself to the root directory of the root drive, using one of the aforementioned filenames.  It does not otherwise install itself on the system (it does not create any registry or other startup hooking locations). 

Method of Infection

This worm attempts to spread via MSN Messenger.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Bropia (Symantec)

• Win32.Bropia.A (CA)

Characteristics

Characteristics -

This worm may spread via MSN Messenger with the following filenames:

• Drunk_lol.pif
• Webcam_004.pif
• sexy_bedroom.pif
• naked_party.pif
• love_me.pif

When run, the worm attempts to send a file to a contacts who's status has changed, by hooking the user interface Windows and buttons.  This may not be an effective way for the worm to spread in many situations.

Symptoms

Symptoms -

The worm also attempts to disable CMD.EXE, TASKMGR.EXE, and the ability to use the RIGHT-CLICK of the mouse, and the CTRL-ALT-DELETE key combination.

It installs (drops) a new W32/Gaobot.worm variant to C:\oms.exe (119,296 bytes)

The worm copies itself to the root directory of the root drive, using one of the aforementioned filenames.  It does not otherwise install itself on the system (it does not create any registry or other startup hooking locations). 

Method of Infection

Method of Infection -

This worm attempts to spread via MSN Messenger.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A