W32/Bropia.G!worm.im - Released Feb 25, 2005 - Last Updated Apr 11, 2006
|
Alias/esIM-Worm.Win32.Bropia.f, W32/Bropia-M, W32/Bropia.N-net, W32/Kelvir.F-net, WORM_BROPIA.N |
Detection Availability
|
Visible Symptoms
- The following files exist in the root folder of Drive C: Beautiful Ass.pif, Kool.pif, Me & you
pic!.pif, Me Pissed!.pif, sexy.pif, She Could Fit her Ass in a Teacup.pif, she's fuckin
fit.pif, titanic2.jpg.pif and John Kerry as Super Chicken.scr.
- The file Isass.exe exists in the System folder. Note that the first letter is an uppercase i and not a lowercase l.
- Microsoft Internet Explorer is executed to open the HTML document l0l_53xy_l0l.html.
|
Detailed Analysis
Drops the file l0l_53xy_l0l.html to the current directory and opens it via Microsoft Internet Explorer.
This HTML document is not malicious but just connects to the following websites:
- http://www.freewebs.com
- http://counter.rapidcounter.com
- Copies itself to the System folder as Isass.exe.
Adds the value
Anti = %SYSTEM%\Isass.exe, where %SYSTEM% refers to the System folder
to the registry subkeys
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Creates several copies of itself to the root folder of Drive C. The copies have the following filenames:
- Beautiful Ass.pif
- Kool.pif
- Me & you pic!.pif
- Me Pissed!.pif
- sexy.pif
- She Could Fit her Ass in a Teacup.pif
- she's fuckin fit.pif
- titanic2.jpg.pif
- John Kerry as Super Chicken.scr
Attempts to terminate the following processes:
- Sends a copy of itself via MSN messenger to the user's contact list.
|
Recommended ActionCheck the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
|
