W32/Bropia.M!worm.im
Analysis
- Copies itself to the root folder of Drive C as the following:
- Beautiful Ass.pif
- John Kerry as Super Chicken.scr
- Kool.pif
- Me & you pic!.pif
- Me Pissed!.pif
- sexy.pif
- She Could Fit her Ass in a Teacup.pif
- she's fuckin fit.pif
- titanic2.jpg.pif
- Copies itself to the System folder as ISASS.EXE.
- Adds the following values to run itself at each Windows startup:
Isass = "undefinedSystemundefined\ISASS.EXE"
to the following subkeys:
Anti = "undefinedSystemundefined\ISASS.EXE"
NvMsnW = "undefinedSystemundefined\ISASS.EXE"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Note: undefinedSystemundefined refers to the System folder.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
- Drops the file l0l_53xy_l0l.html and opens it with Microsoft Internet Explorer. When this file is opened it, connects to one of the following web sites then displays an image:
- counter.rapidcounter.com
- www.freewebs.com
- Terminates the following processes:
- msconfig.exe
- regedit.exe
- taskmgr.exe
- Spreads by sending a copy of itself via MSN instant messenger.
- May attempt to swap the left and right mouse buttons.
Recommended Action
-
FortiGate systems:
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |