W32/Bropia.I!worm.im - Released Feb 07, 2005 - Last Updated Feb 13, 2005
|
Alias/esIM-Worm.Win32.Bropia.d [KAV], W32/Bropia-I [Sophos], W32/Bropia.I-net, W32/Bropia.I-tr, W32/Bropia.worm.k [McAfee], W32/Kelvir.I-tr, WORM_BROPIA.I [Trend] |
Detection Availability
|
Visible Symptoms
- Infected systems have the Right-Click of mouse disabled
- Task Manager and Command-Line [CMD] are also not
accessible on a compromised system
|
Detailed AnalysisThis virus spreads through MSN Internet Messenger.
Once received and then executed, the virus loads into
memory. Then, it drops the file "svchosts.exe"
into the System32 folder. This file is another virus
detected as "W32/SDBot.4ACB-net."
Loading at Windows Startup
When this virus is run, it registers itself to load
at each Windows startup - this is done by adding the
registry name "ine" with value "svchosts.exe"
for the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\OLE
HKEY_LOCAL_MAHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MAHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USER\Software\Microsoft\OLE
After restarting, an infected machine becomes vulnerable
for remote attack since the SDBot virus is loaded.
.PIF file creation
This virus drops the following files in the root folder
("C:\") that will be retransmitted to MSN
Internet Messenger Contacts:
hahahaha.pif
LOL.scr
me_2005.pif
naked_drunk.pif
Webcam.pif
cz.exe
This virus then disables the right-click button of mouse.
And disable access to Task Manager (taskmgr.exe) and
Command-line (cmd.exe).
|
Recommended Action- Delete copies of the virus -
hahahaha.pif
LOL.scr
me_2005.pif
naked_drunk.pif
Webcam.pif
cz.exe
C:\Windows\System32\svchosts.exe
- Check the web interface for your Fortigate unit to ensure the latest AV/NIDS definitions have been downloaded and installed on your system - if required, enable the "Allow Push Update" option
|
