Intrusion Prevention

W32/Bropia.A-tr.MSNFTP

Description

This indicates a possible W32/Bropia.A-tr worm passing through the network on TCP port 11178 using the MSNFTP protocol.
When this worm is executed it drops a copy of itself in the root directory using any of the following file names:
Drunk_lol.pif
Love_me.pif
Naked_party.pif
Sex_bedroom.pif
Webcam_004.pif
It then attempts to propagate itself via MSN Messenger, by sending a copy of itself using any of the above mentioned file names. The worm also drops the file OMS.EXE in the root folder. FortiGate detects this file as W32/RBot.TX-net. It changes byte size to 0 for the following files, preventing them from executing:
CMD.EXE
TASKMGR.EXE
It can also disable the right mouse button and makes cmd and taskmanager unexecutable.

Affected Products

Microsoft Windows Operating Systems.

Impact

System compromise: worm infection.

Recommended Actions

The default action has been set to pass. If this signature is not triggered by legitimate traffic in your network environment, change its action to "reset session", and disinfect the system which received/sent the packets. Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed. If required, enable the "Allow Push Update" option.