Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


Win32/Bibrog.C is a worm working in the environment of Windows operating systems. It is spreading as an attachment of e-mail messages. The body of the worm is compressed using the UPX utility, and has a length of 235520 bytes. Its length is almost 420 Kb after unpacking. The worm is written in Visual Basic.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The inscription %system% represents in following text the subdirectory System or System32 in the directory %windir%.

The worm comes with the message having the subject Fwd:La Academia Azteca. There is a text La academia azteca (muy bueno) ino es virus! in the body of a message. Attachment of the message contains a file academia.exe having the length of 235520 bytes, and containing the body of the worm.

After the file in the message attachment is run the worm is copied into the directory %windir% under the name manzana.exe. It creates the file named academia.exe in the directory %system%, and generates the files itch.exe and itcj.exe in the directory C:\WINDOWS\Start Menu\Programs\StartUp. The length of both files is 235520 bytes. It masks this activity displaying the picture with the game:

The worm is trying to spread also via P2P of KaZaA and Grokster network and ICQ. To achieve this it creates its copies using word porn screen_saver.exe and the list of female celebrities with the names like Donna D'Erico porn screen_saver.exe. These copies attract inexperienced users to download, run and spread the worm.

The worm uses following names of celebrities:

Kylie Minogue
Salma Hayek
Kirsten Dunst
Jessica Alba
Christina Aguilera
Anna Kournikova
Sandra Bullock
Alessandra Ambrosia
Jenna Jameson
Karina Lombard
Pamela Anderson
Britney Spears
Charlize Theron
Helena Christensen
Stacey Keibler
Kelly Hu
Halle Berry
Cameron Diaz
Donna D'Erico

After restarting the computer the file itch.exe is activated sending the worm copies to all addresses located in Contacts of Microsoft Outlook client. Following picture is displayed at the same time:

NOD32 detects this worm from the version 1.378.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.