W32/Bropia.B!worm.im
Analysis
This is a slow-spreading Internet worm for MSN Messenger
and Windows environments. The virus was coded using Visual
Basic 6 and spreads to other contacts listed in the contact
list of MSN Messenger. The virus also carries an embedded
copy of an RBot variant. The variant is identified with
current AV db update as "W32/RBot.TX-net".
If the virus is received and run it will copy itself to
the root of the C drive. It will then extract a copy of
an IRC backdoor to the System32 folder as "lexplore.exe".
MSN Messenger API Hook
The virus is coded in Visual Basic 6, and uses imports
from an MSN Messenger API in order to manipulate the application
and send a copy of the virus to others. The virus also
only focuses on installations of MSN Messenger which are
stored in this path -
C:\Program Files\Messenger\msmsgs.exe
Failing to find MSN Messenger in this location, the virus
is not likely to spread further. The virus uses the import
"OMsn_OnContactStatusChange" as a trigger point
- this trigger points the virus code to the instruction
set to send a copy of the virus to other contacts listed
in MSN Messenger. When a contact changes status, the virus
targets that contact and sends a copy of the virus as
one of these file names in an "instant message"
-
Drunk_lol.pif
Webcam_004.pif
sexy_bedroom.pif
naked_party.pif
love_me.pif
Loading at Windows startup
The IRC backdoor component is registered to run at each
Windows startup -
HKEY_CURRENT_USER\Software\Microsoft\OLE
"lexplore" = lexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"lexplore" = lexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"lexplore" = lexplore.exe
Anti-debugging Routine
The virus attempts to block access to the command line
shell CMD.EXE but only blocks one aspect. The CMD.EXE
shell application is stored in the System32 folder however
if the user wants to use CMD.EXE, it can be executed
from the "dllcache" folder without incident.
The virus also blocks attempts to enumerate tasks using
Task Manager.
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |