W32/Bropia.M!worm.im

description-logoAnalysis

  • Copies itself to the root folder of Drive C as the following:
    • Beautiful Ass.pif
    • John Kerry as Super Chicken.scr
    • Kool.pif
    • Me & you pic!.pif
    • Me Pissed!.pif
    • sexy.pif
    • She Could Fit her Ass in a Teacup.pif
    • she's fuckin fit.pif
    • titanic2.jpg.pif

  • Copies itself to the System folder as ISASS.EXE.
  • Adds the following values to run itself at each Windows startup:
    Isass = "undefinedSystemundefined\ISASS.EXE"
    Anti = "undefinedSystemundefined\ISASS.EXE"
    NvMsnW = "undefinedSystemundefined\ISASS.EXE"
    to the following subkeys:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    Note: undefinedSystemundefined refers to the System folder.
  • Drops the file l0l_53xy_l0l.html  and opens it with Microsoft Internet Explorer. When this file is opened it, connects to one of the following web sites then displays an image:
    • counter.rapidcounter.com
    • www.freewebs.com

  • Terminates the following processes:
    • msconfig.exe
    • regedit.exe
    • taskmgr.exe

  • Spreads by sending a copy of itself via MSN instant messenger.
  • May attempt to swap the left and right mouse buttons.

recommended-action-logoRecommended Action

    FortiGate systems:
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR