W32/Bropia.G!worm.im

description-logoAnalysis

  • Drops the file l0l_53xy_l0l.html to the current directory and opens it via Microsoft Internet Explorer. This HTML document is not malicious but just connects to the following websites:

    • http://www.freewebs.com
    • http://counter.rapidcounter.com

  • Copies itself to the System folder as Isass.exe.
  • Adds the value
    Anti = undefinedSYSTEMundefined\Isass.exe, where undefinedSYSTEMundefined refers to the System folder
    to the registry subkeys
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

  • Creates several copies of itself to the root folder of Drive C. The copies have the following filenames:

    • Beautiful Ass.pif
    • Kool.pif
    • Me & you pic!.pif
    • Me Pissed!.pif
    • sexy.pif
    • She Could Fit her Ass in a Teacup.pif
    • she's fuckin fit.pif
    • titanic2.jpg.pif
    • John Kerry as Super Chicken.scr

  • Attempts to terminate the following processes:

    • taskmgr.exe
    • regedit.exe

  • Sends a copy of itself via MSN messenger to the user's contact list.

recommended-action-logoRecommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR