Threat Center Threats Explained Threat Encyclopedia Threat Blog Security Tips Case Studies White Papers Newsletter Signup
 

Win32 Worm Bibrog.C


Win32/Bibrog.C is a worm working in the environment of Windows operating systems. It is spreading as an attachment of e-mail messages. The body of the worm is compressed using the UPX utility, and has a length of 235520 bytes. Its length is almost 420 Kb after unpacking. The worm is written in Visual Basic.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The inscription %system% represents in following text the subdirectory System or System32 in the directory %windir%.

The worm comes with the message having the subject Fwd:La Academia Azteca. There is a text La academia azteca (muy bueno) íno es virus! in the body of a message. Attachment of the message contains a file academia.exe having the length of 235520 bytes, and containing the body of the worm.

After the file in the message attachment is run the worm is copied into the directory %windir% under the name manzana.exe. It creates the file named academia.exe in the directory %system%, and generates the files itch.exe and itcj.exe in the directory C:\WINDOWS\Start Menu\Programs\StartUp. The length of both files is 235520 bytes. It masks this activity displaying the picture with the game:

The worm is trying to spread also via P2P of KaZaA and Grokster network and ICQ. To achieve this it creates its copies using word porn screen_saver.exe and the list of female celebrities with the names like Donna D'Erico porn screen_saver.exe. These copies attract inexperienced users to download, run and spread the worm.

The worm uses following names of celebrities:

Kylie Minogue
Shakira
Salma Hayek
Kirsten Dunst
Jessica Alba
Christina Aguilera
Anna Kournikova
Sandra Bullock
Alessandra Ambrosia
Jenna Jameson
Karina Lombard
Pamela Anderson
Britney Spears
Charlize Theron
Helena Christensen
Stacey Keibler
Kelly Hu
Halle Berry
Cameron Diaz
Donna D'Erico

After restarting the computer the file itch.exe is activated sending the worm copies to all addresses located in Contacts of Microsoft Outlook client. Following picture is displayed at the same time:

NOD32 detects this worm from the version 1.378.



PROTECT YOUR COMPUTER!
ESETs NOD32 antivirus software provides comprehensive, easy-to-use, and affordable protection from todays and tomorrows threats. We put the malware expert inside the software, so you don’t have to become one.

DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE

 

 
Top of Page Back One Page Print this Page