Sophos

W32/Bibrog-B

Aliases
  • W32/BIBROG.C@MM
  • I-Worm.Academia
Category
Type
What to do
Prevalence low high

Summary

 
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Bibrog-B arrives in an email with the following characteristics:

Subject line: Fwd:La Academia Azteca
Message text: La cacademia azteca (muy bueno) no es virus!
Attached file: academia.exe

When the worm is first executed a game is activated for the user to play.

La Cacademia, Tienes 18 balas Score: 0

At the same time the worm is copied to
C:\<Windows Folder>\manzana.exe,
C:\<Windows System Folder>\academia.exe,
C:\<Startup Folder>\itch.exe and
C:\<Startup Folder>\itcj.exe

When Windows next starts up the worm will be activated, causing it to email contacts in the victim's Outlook address book.

W32/Bibrog-B drops two BMP files, osiris.bmp and quiettime.bmp. The two files are alternately used as the backdrop for the Windows Desktop each time Windows starts up.

Windows Desktop backdrop

Windows Desktop backdrop

W32/Bibrog-B attempts to create copies of the worm in the shared folders of the KaZaA, Grokster and Morpheus peer-to-peer applications. The same files will also be copied to the shared folder of the ICQ messaging application.

The following five HTM files are dropped to the My Documents folder:
acafug.htm
citibank.htm
hotmail.htm
msn.htm
yahoo.htm

The latter four of these HTM files are faked versions of genuine internet pages that contain a form for login into a service. Information entered into the login form of any of these fake pages will cause the details to be sent to the attacker.

The worm monitors the address window of Internet Explorer and if certain addresses are found then one of the above files will be substituted in place of the real address. The following substitutions will occur:

http://hotmail.passport.com to <My Documents>\hotmail.htm
http://mail.yahoo.com to <My Documents>\yahoo.htm
http://www.citibank.com/us/cards/ to <My Documents>\citibank.htm
http://www.fbi.gov to <My Documents>\acafug.htm
http://login.passport.net to <My Documents>\msn.net
http://loginnet.passport.net to <My Documents>\hotmail.htm

Additionally the following substitution will occur however the substitute address appears to be no longer available:

http://send.greetings.yahoo.com to http://www.cjd.itesm.mx

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer