Intrusion Prevention

W32/Bropia.D-net.MSNP2P

Description

This indicates a possible W32/Bropia.D-net worm passing through the network on TCP ports 80 or 1863, using the MSNP2P protocol.
When the W32/Bropia.D-net worm is executed it drops a copy of itself in the root directory using any of the following file names:
LOL.scr
Webcam.pif
hahahaha.pif
me_2005.pif
sister.pif.
It then attempts to propagate itself via MSN Messenger by sending a copy of itself using any of the above mentioned file names. This worm also drops the file cz.exe in the root directory. It changes byte size to 0 for the following files for preventing them from executing:
CMD.EXE
TASKMGR.EXE
It can also disable right mouse button function and making cmd and taskmanager unexecutable and also effect of variant it copied to the system.

Affected Products

Microsoft Windows Operating Systems.

Impact

System compromise: worm infection.

Recommended Actions

The default action has been set to pass. If this signature is not triggered by legitimate traffic in your network environment, change its action to reset session, and disinfect the system which received or sent the packets. Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed. If required, enable the "Allow Push Update" option.