Intrusion Prevention

W32/Bropia.E-net.MSNFTP

Description

This indicates a possible W32/Bropia.E-net worm passing through the network on TCP port 11178 using the MSNFTP protocol.
When this worm is executed it drops a copy of itself in the root directory using any of the following file names:
hahahaha.pif
LOL.scr
me_2005.pif
naked_drunk.pif
sister.pif
Webcam.pif
It then attempts to propagate itself via MSN Messenger, by sending a copy of itself using any of the above mentioned file names. This worm also drops the file winis.exe in the root folder.
It changes the byte size to 0 for the following files to preventing them from executing:
CMD.EXE
TASKMGR.EXE
It can disable the right mouse button and make cmd and taskmanager unexecutable.

Affected Products

Microsoft Windows Operating Systems.

Impact

System compromise: worm infection.

Recommended Actions

The default action has been set to "pass". If this signature is not triggered by legitimate traffic in your network environment, change its action to "reset session", and disinfect the system which received/sent the packets. Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system. If required, enable the "Allow Push Update" option.