January 20th, 2005 10:49 AM
Heads Up: sexy_bedroom.pif
Well the title is as much as I know about this piece of malware, this and the fact that it auto-sends itself to everybody in the infected user's MSN contact list.
My girlfriend noticed this behaviour when her MSN Plus! asked her repeatedly if she would like to zip the file to be sent [a feature of the plug-in]. The file was in the process list and could only be deleted after a boot in safe mode [so as to not get loaded again].
HouseCall and Symantec online AV scans did not report anything after this deletion, so I'd assume deleting the file was enough [no registry key or anything of the sort]. However either because of the scanners' limitations [not checking .pif files or not checking certain folders] the file was not detected inside the Recycle Bin either [although it was still present when the AV scans were run].
Somebody else on my contact list had gotten the same thing since I had a request for a file transfer when I got home, but the person wasn't online so I couldn't inquire further.
When she got infected, my S.O. said the file was called love_me.pif, which makes me think it is possible for the virus to randomly change its name from a list. The transfer request I had received had the same filename as the title - sexy_bedroom.pif.
I forgot to ask whether she was running her AV at the time but I think not [and since the file requires user interaction to infect the computer it would not be detected by anything less than an active AV].
I assume people would be duped into opening the file because .pif is an old extension from DOS IIRC and its close resemblance to .pic could trick many into opening it.
Symantec has no entry about this, neither does Google at large return anything.
Anybody know anything more about this? Is it truly a virus or some other kind of malware? I believe I could still get a copy of it and PM it to *some* people that would require it for analysis, however I'd rather not go into that kind of a situation...
So this is both a Heads Up and a Request for Comments[:P]/Info... stay alert!
January 21st, 2005 03:20 AM
Maybe this WORM_BROPIA.A
Lucky you, you got it first!
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
January 21st, 2005 06:56 AM
Symantec posted information about the W32.Bropia late yesterday and had updates to handle it shortly after. It is a two stager that uses MSN Messenger to spread, and drops a new variant of the W32.Spybot worm. Since MSN Messenger allows active content (ads), it is no surprise that that vector would be used.
Since we are moving to the new Windows Messenger 5.1 (which is not vulnerable) to work with out LiveComm Server, we're removing MSN Messenger. I got the updates out, I hope, before anyone in our organization got caught with this today.
You can uninstall MSN Messenger and then download and install Windows Messenger 5.1 without losing any of your contacts. Just to be safe, though, do an export just before doing this.
January 23rd, 2005 09:33 AM
Well luckily, I'm part of the Free World
Originally posted here by IKnowNot
Lucky you, you got it first!
I've seen more or less of a rapid spread of this piece of malware, however AV companies quickly came out with fixes and whatnot.