W32/Bropia.G!worm.im
Analysis
Drops the file l0l_53xy_l0l.html to the current directory and opens it via Microsoft Internet Explorer. This HTML document is not malicious but just connects to the following websites:
- http://www.freewebs.com
- http://counter.rapidcounter.com
- Copies itself to the System folder as Isass.exe.
Adds the value
Anti = undefinedSYSTEMundefined\Isass.exe, where undefinedSYSTEMundefined refers to the System folder
to the registry subkeys
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesCreates several copies of itself to the root folder of Drive C. The copies have the following filenames:
- Beautiful Ass.pif
- Kool.pif
- Me & you pic!.pif
- Me Pissed!.pif
- sexy.pif
- She Could Fit her Ass in a Teacup.pif
- she's fuckin fit.pif
- titanic2.jpg.pif
- John Kerry as Super Chicken.scr
Attempts to terminate the following processes:
- taskmgr.exe
- regedit.exe
- Sends a copy of itself via MSN messenger to the user's contact list.
Recommended Action
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |