Aliases: Win32.Bropia.A [Computer Assoc, Bropia.A [F-Secure], IM-Worm.Win32.VB.a [Kaspersky , W32/Bropia.worm [McAfee], W32/Bropia-A [Sophos], WORM_BROPIA.A [Trend Micro]
Variants: W32.Spybot.Worm

Classification: Malware
Category: Computer Worm

Status: active & spreading
Spreading: moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: hard
Platform: W32
Discovered: 19 Jan 2005
Damage: Low

Characteristics: The W32.Bropia program comes as a P2P download or as a link in MSN messenger, which contains a variant of Backdoor.Win32.Rbot and consequently embedded in the file.

More details about W32.Bropia

The W32.Bropia program spreads through Microsoft's MSN Messenger. MSN Messenger is an instant messenger program. This worm uses this platform to send and drop a variant of this worm named “W32.Spybot.Worm.” Once the virus is currently installed in your computer, the worn multiplies itself to the system directory as well as to several shared directory of P2P applications as msnadp32.e. This is written again in Visual Basic program and would only work if you have activated or installed a Visual Basic application in Microsoft. It is also considered as IM-Worm. Another instance of a backdoor worm packed with UPX and Morphine and will be seen as Backdoor.Win32.Rbot.gen. It can also be dropped as C:\tmpdata as imsexy.exe. Once it is opened it changes into %sysdir%\pwmgr.exe and deletes imsexy.exe.

Certain registry systems are also modified and will be opened during start ups. If it successfully attaches itself to your computer, it continuously sends messages to all addresses in the MSN contact list. These contain links to a malicious .php file. Once clicked, it will steal the recipient's email address and thus, can be used by spammers. This worm hacks as well as monitors any change in the status of MSN Messenger contacts for it to also update. Furthermore, this worm also disables right mouse button so you cannot right click to access context sensitive menus.