Virus

W32/Bropia.G!worm.im

Analysis

  • Drops the file l0l_53xy_l0l.html to the current directory and opens it via Microsoft Internet Explorer. This HTML document is not malicious but just connects to the following websites:

  • Copies itself to the System folder as Isass.exe.
  • Adds the value
    Anti = undefinedSYSTEMundefined\Isass.exe, where undefinedSYSTEMundefined refers to the System folder
    to the registry subkeys
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

  • Creates several copies of itself to the root folder of Drive C. The copies have the following filenames:

    • Beautiful Ass.pif
    • Kool.pif
    • Me & you pic!.pif
    • Me Pissed!.pif
    • sexy.pif
    • She Could Fit her Ass in a Teacup.pif
    • she's fuckin fit.pif
    • titanic2.jpg.pif
    • John Kerry as Super Chicken.scr
  • Attempts to terminate the following processes:

    • taskmgr.exe
    • regedit.exe
  • Sends a copy of itself via MSN messenger to the user's contact list.

Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option