The newest variant of the Bropia worm -- tagged as Bropia.f, Bropia.g, Bropia.e, or Bropia.j by various anti-virus firms in an unusual display of naming chaos -- spreads through MSN Messenger. Users who receive the file and open it see a mildly-funny .jpg of a roasted chicken posed to resemble a naked sunbather, complete with tan lines.
In the background, however, the user's PC is being infected with another worm -- dubbed Agobot.ajc by some firms, a variation of Spybot by other vendors -- which does all kind of damage. It connects to an IRC server to wait for commands from the hacker, scans systems on the network for a wide range of older Microsoft Windows vulnerabilities, including the ones which spawned MSBlast and Sasser in 2003 and 2004, and runs a key logger to trap passwords and account information. It also turns off the machine's audio, perhaps to muzzle any sound alerts from anti-virus software.
Bropia and its nastier secondary payload spread by sending copies to all the contacts in MSN Messenger's buddy list.
The majority of anti-virus vendors have set their warning levels on Bropia to "medium," and the worm is spreading fastest in Korea, China, Taiwan, and the United State, said Trend Micro's online alert.
"As a rule of thumb, you should never open a file you receive through instant messaging systems without scanning it first," said Luis Corrons, the head of Panda Software's virus lab, in a statement. "A growing number of viruses are using [IM[ to spread, and their biggest danger lies in the recipient running executable files without thinking twice."
Symantec has posted a free Bropia removal tool on its Web site for those who believe their PC has been infected.