Enterasys - Secure Networks

There is nothing more important than our customers.
Skip to content

ENSRT Incident Note ETS-i-2005-12520

The Enterasys Networks Security Response Team (ENSRT) publishes incident notes to provide information for our constituents to raise awareness of issues deemed threatening to the security and integrity of our customers.

Worms - W32.Bropia.J and W32.Bropia.L

Release Date: 02/09/2005
Last Updated: 02/10/2005

Print this alert

Overview

Both the W32.Bropia.J and W32.Bropia.L worms spread via the MSN Messenger protocol by sending an executable file containing the worm to MSN contacts. When this executable file is launched, the Windows PC becomes infected with the Bropia worm. Additionally, another worm from the W32.Spybot.Worm family is dropped onto the infected system.

Details below describe the characteristics of the W32.Bropia.J and W32.Bropia.L worms as well as provide detection, containment, and prevention techniques available through Enterasys Secure Networks solutions.

Systems affected

Windows operating systems

Systems not affected

Linux and MAC/OSX

Description

The W32.Bropia.J and W32.Bropia.L worms arrive at the user's PC via the MSN Messenger application receiving a transfer of an executable file from a known MSN contact. If via social engineering the worm executable is both received and executed, the Microsoft Windows PC will become infected.

The W32.Bropia.J variant of the worm arrives as one of the following executable files:

LOL.scr
Webcam.pif
bedroom-thongs.pif
naked_drunk.pif
LMAO.pif
ROFL.pif
underware.pif
Hot.pif
new_webcam.pif

The W32.Bropia.L variant of the worm arrives as one of the following executable files:

msnmsr.exe
Webcam.pif
bedroom-things.pif
naked_drunk.pif
my_pussy.pif
ROFL.pif
underware.pif
Hot.pif
new_webcam.pif

Once infected, the Bropia worms drop a secondary worm from the W32.Spybot.Worm family as well as a JPG image with the name "sexy.jpg". The ".J" variant's image displays a picture of a sunburned chicken while the ".L" variant contains a female model.

Lastly, the Bropia worms attempt further proliferation by sending copies of themselves to MSN Messenger contacts harvested from the infected PC.

Threat Assessment

MSN Messenger worms if not addressed through prudent remediation steps may impact individual system performance and compromise security settings by allowing unauthorized remote access to the compromised host.

Trojans or backdoor listeners if not addressed through prudent remediation steps, can compromise network and host security. Additionally, trojans and backdoor listeners potentially allow theft of information, unauthorized remote access, and damage to critical files.

Remediation

Matrix N7
 X
Matrix E7
 X
Matrix E6
 X
Matrix E5
 X
Matrix E1
 X
VH
 X
C-Series
X

Detection

Since the attack vector of the W32.Bropia.J and W32.Bropia.L worms makes use of MSN Messenger file transfers, Dragon signatures have been created to assist in the detection of infected PC's as they attempt to proliferate these worms using the MSN protocol. MSN Messenger file transfers can take place using multiple techniques.

The first MSN Messenger file transfer technique the Bropia worms proliferate with takes place from an infected PC on the enterprise network performing a transfer of the worm to a remote network on the Internet. Generally, this type of transfer can be detected via examination of the primary MSN protocol operating on TCP port 1863. Make use of the Dragon signatures in the Master Library located in the ENSRT category with the name "ENSRT:W32-BROPIA-JL" to detect this type of MSN file transfer. It is important to note that even if firewall policy does not allow MSN file transfers outside of the corporate infrastructure, these signatures are still useful as they will detect the the worms as they attempt file transfers to each remote MSN user regardless of the success of that file transfer.

The second MSN Messenger file transfer technique the Bropia worms may make use of involves MSN Messenger peer-to-peer file sharing. This method quickly makes use of dynamic TCP ports to perform file transfers between users within the same enterprise network. The Bropia worms are not currently detectable when traveling via MSN Messenger peer-to-peer file sharing, however, enterprise users participating in MSN Messenger peer-to-peer file sharing can be detected. A general MSN Messenger peer-to-peer file sharing signature can be found in the Dragon Master Library in the ENSRT category with the name "ENSRT:MSN-MESSENGER-P2P". If this signature and the "ENSRT:W32-BROPIA-JL" signatures are detected from the same host on the enterprise network, there is a distinct possibility that one of the Bropia worms has sucessfully spread to another user on the enterprise network.

The specific Dragon signatures detailed above to aid detection of the W32.Bropia.J and W32.Bropia.L worms as well as MSN Messenger peer-to-peer file sharing can be retrieved via Dragon Live Update and are located in the Master Library within the ENSRT category.

Deploy the above "ENSRT-W32-BROPIA-JL" signature group on Dragon network sensors that protect Internet connections carrying the primary MSN protocol of TCP port 1863 to the Internet based MSN servers.

If utilizing Dynamic Intrusion Response (DIR), a Dragon Alarmtool policy that consists of an event group that contains all of the signatures within the "ENSRT:W32-BROPIA-JL" family should be used.

NOTE: All signatures in the ENSRT library are disabled by default. These signatures must be enabled after they are imported into a custom library if they are to be successfully deployed.

Prevention

Trusted End System solutions are capable of monitoring various end system activity. TES is able to take immediate action such as firewalling specific IPs, TCP/UDP ports, applications, or placing the user into a Quarantine policy or VLAN until end system threat is mitigated. Learn more at: http://www.enterasys.com/solutions/secure-networks/trusted_end_system/

Containment

Internet or edge facing firewalls should be configured with a default 'Deny' policy and contain 'Permit' policies for only needed services and applications. With respect to the W32.Bropia.J and W32.Bropia.L worms certain MSN Messenger file transfers can be blocked at the Internet firewall by removing any permit rules that allow TCP port 6891-6900 traffic. Note: Blocking TCP ports 6891-6900 will not block MSN Messenger instant messages as they flow over TCP port 1863.

The Enterasys Dynamic Intrusion Response (DIR) solution can be utilized to remove infected end-users from the enterprise network by detecting the infection with a Dragon NIDS signature (see "Detection" section of this report), locating the user's connection point using Automated Security Manager's location services module, and either placing the user in a quarentine VLAN or disabling the associated switch port for the user.

If the enterprise Acceptable Use Policy (AUP) does not permit the use of MSN Messenger, consider implementing a switch policy with Enterasys Policy Manager to block the primary MSN protocol from end user switch ports. The MSN Messenger primary protocol is sourced from end users with a dynamic TCP port and destined to the Internet MSN servers with TCP port 1863.

Repair

Monitor Dragon Realtime Console for alerts that end-user PCs have become infected with the virus. If utilizing the DIR solution, users can either be expunged from the network or placed in a quarantine VLAN. Once isolated, see your anti-virus vendor for Windows repair procedures for infected users.

References

http://securityresponse.symantec.com/avcenter/venc/data/w32.bropia.j.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.bropia.l.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html

This document and the information contained herein are intended solely for informational use. Enterasys Networks, Inc. makes no representations or warranties of any kind, whether expressed or implied, with respect to this information and assumes no responsibility for its accuracy or completeness. Enterasys Networks, Inc. hereby disclaims all liability and warranty for any information contained herein and all the material and information herein exists to be used only on an "as is" basis. More specific information may be available on request. By your review and/or use of the information contained herein, you expressly release Enterasys from any and all liability related in any way to this information.    

A copy of the text of this section is an uncontrolled copy, and may lack important information or contain factual errors. All information herein is Copyright ©Enterasys Networks, Inc. All rights reserved. All information above is subject to change without notice.    

Revision History:

Version: 1.0

Date: 02/09/2005

Author: ENSRT STAFF

Change

There is nothing more important than our customers