W32/Rbot.AIZ!worm
Analysis
This IRC bot threat may have been installed by an Internet worm known as "W32/Bropia.E-net". This Internet worm tries to send itself to other MSN
Messenger contacts by possibly one of these file names
-
Webcam.pif
hahahaha.pif
naked_drunk.pif
sister.pif
me_2005.pif
This threat will also install an IRC bot as the file "svchosts.exe".
This bot is identified with current AV db update as "W32/Rbot.AIZ-net".
Loading at Windows Startup
After running this virus on a system, it will copy itself
to the root of the boot drive as "LOL.scr".
Next it will install "Rbot.AIZ" to the System32
folder and register it to run at each Windows startup
-
HKEY_CURRENT_USER\Software\Microsoft\OLE
"ine" = svchosts.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"ine" = svchosts.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"ine" = svchosts.exe
Rbot.AIZ is packed with Aspack with a file size of 122,368
bytes.
IRC Connection
"Rbot.AIZ" will attempt to connect with one
of two hard-coded IRC servers by these names -
ilusion-free.com
irc.arness.si
After connecting, the threat will await instructions from
a malicious user.
Utility Blocking
This threat will monitor attempts to access two debugging
utilities, CMD and Task Manager. The virus will prevent
the infected system from running CMD.exe and TASKMGR.exe.
It is possible to copy CMD.EXE as "Copy of CMD.exe"
and then run the copy. The same can be applied to Task
Manager to allow use of this utility.
Recommended Action
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |