Content

W32/Brepibot

Type
Virus
SubType
Win32
Discovery Date
04/20/2005
Length
Varies
Minimum DAT
4473 (04/20/2005)
Updated DAT
4687 (02/01/2006)
Minimum Engine
5.1.00
Description Added
04/20/2005
Description Modified
02/01/2006 6:04 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-- Update February 1, 2006 --
 There were more mass-spammings of a new Brepibot variant recently (filesize: 31,232 bytes). The 4687 DAT files contain updated detection to cover this new variants.  One example of a spammed message is as follows:

Subject: Website Browsing Problem
Body:

Hello,

I noticed whilst browsing your site that there were problems with some of your links, when I tried again with Internet Explorer the problems were not there so I assume that they were caused by me using the Mozilla browser.

As more people are turning to alternative browsers now it may be of help for you to know this. I have enclosed a screen capture of the problem so your team can get it fixed if you deem it an issue.

Kind regards,
(fake sender name, company details)

Attachment: ZIP archive containing "Screen Capture of Website.scr"

-- Update January 30, 2006 --
 There were several mass-spammings of new Brepibot variants recently.  The 4685 DAT files contain updated detection to cover the new variants.  One example of a spammed message is as follows:

Subject: Requesting Photo Approval
Body:

Hello,

Your photograph has reached editing stage as part of an article we are publishing for our February edition of Traders World Monthly. Can you check over the format and get back to us with your approval or any changes?
If the picture is not to your liking then please send a preferred one. We've attached the photo with the article here.

Attachment: photo and article.exe

Installation

When the file is run, the worm copies itself to the Windows System directory. (For example, c:\Windows\System32\csrnvrt.exe)

The following registry key is created to load the worm at startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "WindowsDiskLog" = csrnvrt.exe
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "WindowsDiskLog" = csrnvrt.exe

-- Update November 17th 2005 --
 A new variant was mass-spammed in an email message as follows:

Subject: Website Browsing Problem
Body:

Hello,

I noticed whilst browsing your site that there were problems with some of
your links, when I tried again with Internet Explorer the problems were not
there so I assume that they were caused by me using the Mozilla browser.

As more people are turning to alternative browsers now it may be of help
for you to know this. I have enclosed a screen capture of the problem so
your team can get it fixed if you deem it an issue.

Kind regards,

James Andrews
Dept. Publishing
 http://www.FlexiPrint.co.uk

 ****** This email is sent for and on behalf of FlexiPrint Limited ******
Confidentiality:  This email and its attachments are intended for the above
named only and may be confidential.  If they have come to you in error you
must take no action based on them, nor must you copy or show them to anyone
(See attached file: Screen Capture.zip)

Attachment: Screen Capture.zip (containing so.scr )

-- Update November 10th 2005 --  
Several recent variants of this worm install themselves onto victim machines with a filename crafted to stealth itself on those machines where specific Digital Rights Management (DRM) software is running. That software is designed to hide files and processes where the filename starts with the string "$sys$ ".

These variants have been detected and repaired as W32/Brepibot since the 4614 DATs - release date October 27th 2005.

For more information on the DRM software, please read the XCP potentially unwanted program description.
--

There are several variants of this worm, and the specific actions taken are decided by the hacker who uses this malware, so this description is meant as a general guide.

This detection is for a simple Internet Relay Chat (IRC) bot worm.

This worm is designed to contact a list of remote IRC servers and wait for further instructions.  It can respond to the attacker with information about the infected system's uptime, and it can also execute or delete files specified by the attacker.

Installation

When the file is run, the worm copies itself to the Windows System directory. (For example, c:\Windows\System32\cstsm.exe)

The following registry key is created to load the worm at startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "WindowsDiskLog" = cstsm.exe
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "WindowsDiskLog" = cstsm.exe

Symptoms

Presence of the file and registry entries noted above

Method of Infection

AVERT has received reports of this worm being received in an email message as follows:

Subject: Campus Life

Hello,

We have been thinking of including you in the new campus magazine in an
article headed "Campus Life".  Can you approve the photo and article for
us before we go to printing please.

If any details are wrong then we can amend before printing on Tuesday
1st November so please get back to us as soon as possible.

Many Thanks & Best Regards,

J Chuang
Editor


*********************************************************
**********************
Please respond before Tuesday to ensure we have time to edit!
*********************************************************
**********************

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • Backdoor.Ryknos (Symantec)
  • Troj/Stinx-E (Sophos)
  • Troj/Stinx-F (Sophos)

Characteristics

Characteristics -

-- Update February 1, 2006 --
 There were more mass-spammings of a new Brepibot variant recently (filesize: 31,232 bytes). The 4687 DAT files contain updated detection to cover this new variants.  One example of a spammed message is as follows:

Subject: Website Browsing Problem
Body:

Hello,

I noticed whilst browsing your site that there were problems with some of your links, when I tried again with Internet Explorer the problems were not there so I assume that they were caused by me using the Mozilla browser.

As more people are turning to alternative browsers now it may be of help for you to know this. I have enclosed a screen capture of the problem so your team can get it fixed if you deem it an issue.

Kind regards,
(fake sender name, company details)

Attachment: ZIP archive containing "Screen Capture of Website.scr"

-- Update January 30, 2006 --
 There were several mass-spammings of new Brepibot variants recently.  The 4685 DAT files contain updated detection to cover the new variants.  One example of a spammed message is as follows:

Subject: Requesting Photo Approval
Body:

Hello,

Your photograph has reached editing stage as part of an article we are publishing for our February edition of Traders World Monthly. Can you check over the format and get back to us with your approval or any changes?
If the picture is not to your liking then please send a preferred one. We've attached the photo with the article here.

Attachment: photo and article.exe

Installation

When the file is run, the worm copies itself to the Windows System directory. (For example, c:\Windows\System32\csrnvrt.exe)

The following registry key is created to load the worm at startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "WindowsDiskLog" = csrnvrt.exe
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "WindowsDiskLog" = csrnvrt.exe

-- Update November 17th 2005 --
 A new variant was mass-spammed in an email message as follows:

Subject: Website Browsing Problem
Body:

Hello,

I noticed whilst browsing your site that there were problems with some of
your links, when I tried again with Internet Explorer the problems were not
there so I assume that they were caused by me using the Mozilla browser.

As more people are turning to alternative browsers now it may be of help
for you to know this. I have enclosed a screen capture of the problem so
your team can get it fixed if you deem it an issue.

Kind regards,

James Andrews
Dept. Publishing
 http://www.FlexiPrint.co.uk

 ****** This email is sent for and on behalf of FlexiPrint Limited ******
Confidentiality:  This email and its attachments are intended for the above
named only and may be confidential.  If they have come to you in error you
must take no action based on them, nor must you copy or show them to anyone
(See attached file: Screen Capture.zip)

Attachment: Screen Capture.zip (containing so.scr )

-- Update November 10th 2005 --  
Several recent variants of this worm install themselves onto victim machines with a filename crafted to stealth itself on those machines where specific Digital Rights Management (DRM) software is running. That software is designed to hide files and processes where the filename starts with the string "$sys$ ".

These variants have been detected and repaired as W32/Brepibot since the 4614 DATs - release date October 27th 2005.

For more information on the DRM software, please read the XCP potentially unwanted program description.
--

There are several variants of this worm, and the specific actions taken are decided by the hacker who uses this malware, so this description is meant as a general guide.

This detection is for a simple Internet Relay Chat (IRC) bot worm.

This worm is designed to contact a list of remote IRC servers and wait for further instructions.  It can respond to the attacker with information about the infected system's uptime, and it can also execute or delete files specified by the attacker.

Installation

When the file is run, the worm copies itself to the Windows System directory. (For example, c:\Windows\System32\cstsm.exe)

The following registry key is created to load the worm at startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "WindowsDiskLog" = cstsm.exe
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "WindowsDiskLog" = cstsm.exe

Symptoms

Symptoms -

Presence of the file and registry entries noted above

Method of Infection

Method of Infection -

AVERT has received reports of this worm being received in an email message as follows:

Subject: Campus Life

Hello,

We have been thinking of including you in the new campus magazine in an
article headed "Campus Life".  Can you approve the photo and article for
us before we go to printing please.

If any details are wrong then we can amend before printing on Tuesday
1st November so please get back to us as soon as possible.

Many Thanks & Best Regards,

J Chuang
Editor


*********************************************************
**********************
Please respond before Tuesday to ensure we have time to edit!
*********************************************************
**********************

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A