Hey,
i was just chatting on msn about 45 mins ago, till i suddenly got spammed by 10 ppl with the message:


anywayz, there are alot of (stupid) ppl that think its a gif and open it.
then it infects ur pc and spreads itself thru your msn list.
whats as far as i know.

anywayz, the host (chello) is contacted and the webpage shutdown, so ppl cant download it anymore.
Unfortunatly, my sister, and alot of ppl i know got infected.
Anybody know this virus? it aint got caught by any a/v, not even with heuristic...

see attachment for original virus
Handle with caution!!!!

Thanks,
FLX

LOL I also got this one! It's spreading on NL people I think. Saw some other people talking about it on mIRC. Stupid guy putting something on his webspace lol. I think he got some trouble with his ISP

According to kasperski its "infected by IM-Worm.Win32.Bropia.g"

freshly updated free-av sees no harm (not using msn anyways)

anyone check the company name? > cia

coudn't make up much with hex viewer.. can anyone tell with wat it is packed/crypted ?

I tried opening it with hexworkshop.. wasnt having none of it so i copied and renamed the .pif to .exe and it just screwed the file up. I opened the .pif in peid to see what it was packed/crypted with it says PESpin but i dont think it is i think its just the .pif header its finding..interesting worm.

Hey Guys...

I was spammed too, but didn't opened it..

But found out, that there was a removal tool, for those infected....

hxxp://securityresponse.symantec.com/avcenter/venc/data/w32.bropia.removal.tool.html

Cheers!

hmm well it also gives ya something called winis.exe which is trying to reach out to the address of "update.3-a.net" port: PROXY:8080

It is packed... UPX does not unpack it but it is a windows prog. I gess probely someones idea of a good rootkit. Or botnet spreader. But if you can find a way to unpack it (I would I don't have time) then you just open it in hex and you can find out lots about it.

Yeh it is a botnet spreader. This is called the Bropia Worm.

It is just someone who took advantage of msn's vulnrability which was an exploit which let u do variable buffer overflows and being able send files to other contacts without there permision.

Hackers started taking this vulnrability to their advantage and started to make worms that spead via the vulnrability of msn alowing it to travel with ease from 1 contact to another, AVs wouldnt pick this up, it was just a simple made backdoor which wasent detected.

U can find the exploit for this if u search on the internet, but there is no use microsoft patched it not long ago, to stop anymore backdoor droppers sending.

Yeah it was patched (for me at least) the day I saw it on the net. Luckily I didn't get any spamming from anyone.

I believe there is a bropia removal tool made by a member in the File Downloads section if you wanna try that out (You have to be a member to view that thread though). As well as the removal tool from symantec suggested above in previous posts.

.pif is 1 of thoses files that can be used to attach some files and viruses sometimes
just take note of it

*wonders* when the day .mp3 will get it 2 :X

then it will be called newskit.pm3

between ms must add this format 2 his executables

FLX could you password-protect your archive next time? That way AV scanners won't nab the file.

My KAV HTTP gateway scanner nailed it before it even got to my desktop.

Thanks for the post too btw...love hearing about "in the wild" stuff!