Alias/esW32/Agobot.AJC-tr, W32/BROPIA.F!worm, W32/Bropia.F-net, W32/BROPIA.F-wm, WORM_BROPIA.F [Trend] | ||||||||||||
Detection Availability
| ||||||||||||
Visible Symptoms
| ||||||||||||
Detailed AnalysisThis Internet worm tries to send itself to other MSN Messenger contacts by possibly one of these file names -Webcam.pif naked_drunk.pif This threat will also install an IRC bot as the file "winhost.exe". This bot is identified with current AV db update as "W32/Rbot.AJC-net". Loading at Windows Startup After running this virus on a system, it will copy itself to the root of the boot drive as "LOL.scr". Next it will install "Rbot.AJC" to the System32 folder and register it to run at each Windows startup - HKEY_CURRENT_USER\Software\Microsoft\OLE "win32" = winhost.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "win32" = winhost.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "win32" = winhost.exe Rbot.AJC is packed with a file size of 124,416 bytes. IRC Connection "Rbot.AJC" will attempt to connect with a hard-coded IRC server and then await instructions from a malicious user. Utility Blocking This threat will monitor attempts to access two debugging utilities, CMD and Task Manager. The virus will prevent the infected system from running CMD.exe and TASKMGR.exe. It is possible to copy CMD.EXE as "Copy of CMD.exe" and then run the copy. The same can be applied to Task Manager to allow use of this utility. | ||||||||||||
Recommended ActionCheck the web interface for your Fortigate unit to ensure the latest AV/NIDS definitions have been downloaded and installed on your system - if required, enable the "Allow Push Update" option |
