Threat Advisory: McAfee Avert Raises Risk Assessment to Medium on W32/

BEAVERTON, Ore., Feb. 18 /PRNewswire-FirstCall/ -- McAfee, Inc. , the pioneer and worldwide leader of intrusion prevention solutions, today announced that McAfee(R) AVERT(TM) (Anti-virus and Vulnerability Emergency Response Team), the world-class research division of McAfee, Inc., raised the risk assessment to Medium on the recently discovered W32/Bropia.worm.p worm, also known as Bropia.worm.p. This new worm variant propagates through MSN messenger. However, unlike previous variants it does not drop the W32/Sdbot.worm.gen worm. Over the last few hours, McAfee AVERT has received more than 30 reports of the virus being stopped or infecting users from the field.

Threat Overview

This variant of the Bropia.worm is similar to previous variants and propagates through MSN Messenger. In order to get infected, the user would need to manually run the attachment. Upon executing, the work tries to display an image from "http://www.[blocked].com/lol_f***_you_lol/l0l_53xy_l0l.jpg." A web counter on the page is incremented each time it is accessed. However, at the time of writing, the image is unavailable.

Threat Pathology

After being executed, the worm drops a copy of itself into the C:\ directory using any of the following filenames:

-- c:\Beautiful A**.pif -- c:\John Kerry as Super Chicken.scr -- c:\Kool.pif -- c:\Me & you pic!.pif -- c:\Me P***ed!.pif -- c:\sexy.pif -- c:\She Could Fit her A** in a Teacup.pif -- c:\she's f***in fit.pif -- c:\titanic2.jpg.pif (* replaces text)

A copy of the worm is dropped in %SysDir% as Isass.exe , where %SysDir% is either C:\Windows\System32 or C:\WinNT\System32.

The following registry key is hooked to run the worm at startup:

-- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\Run "Isass" = %SysDir% \Isass.exe

-- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "Isass" = %SysDir% \Isass.exe

-- The worm creates a mutex object on the infected machine using the name: .:*-F*k-U-*:.

The following processes are disabled on the victim's machine to prevent the user from manually stopping and removing the worm:

-- Regedit.exe - registry editor -- Mstask.exe - task manager -- Msconfig.exe - configuration manager

More information on Bropia.worm.p and cure for this worm can be found online at the McAfee AVERT site located at http://vil.mcafeesecurity.com/vil/content/v_131862.htm . McAfee AVERT is advising its customers to update to the 4430 DATs to stay protected from this threat.

McAfee AVERT Labs is one of the top-ranked anti-virus and vulnerability research organizations in the world, employing researchers in thirteen countries on five continents. McAfee AVERT combines world-class malicious code and anti-virus research with intrusion prevention and vulnerability research expertise from the McAfee(R) IntruShield(R), McAfee(R) Entercept(R) and McAfee(R) Foundstone(R) Professional Services organizations. McAfee AVERT protects customers by providing cures that are developed through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.

About McAfee, Inc.

McAfee, Inc., headquartered in Santa Clara, Calif., creates best-of-breed intrusion prevention and risk management solutions. McAfee's market-leading security products and services help large, medium and small businesses, government agencies, and consumers prevent intrusions on networks and protect computer systems from critical threats. Additionally, through the Foundstone Professional Services division, leading security consultants provide security expertise and best practices for organizations. For more information, McAfee, Inc. can be reached at 972-963-8000 or on the Internet at http://www.mcafee.com/ .

NOTE: McAfee, AVERT, IntruShield, Entercept and Foundstone are either registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the United States and/or other countries. The color Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.