[virusinfo] W32/Forbot-BZ
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Fri, 08 Apr 2005 16:52:04 -0700
From; Sophos Alert System:
Name: W32/Forbot-BZ
Aliases: WOOTBOT
Type: Win32 worm
Date: 8 April 2005
A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the May 2005 (3.93) release of Sophos Anti-Virus.
Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.
At the time of writing, Sophos has received a small number of
reports of this worm from the wild.
Note: The IDE issued for W32/Forbot-BZ at 06:56 GMT on 28 Oct
2004 also contained detection for W32/Rbot-OF, W32/Rbot-OG,
Troj/Dloader-DN, Troj/Boxed-L, W32/Rbot-OH, W32/Famus-D and
W32/Sdbot-QR. This IDE has now been updated to enhance detection
of Troj/Dloader-DN.
Information about W32/Forbot-BZ can be found at:
http://www.sophos.com/virusinfo/analyses/w32forbotbz.html
W32/Forbot-BZ is a IRC backdoor Trojan and network worm for the Windows
platform.
In order to run automatically when Windows starts up the worm moves itself to
the Windows system folder as mplayer.exe and creates the following registry
entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 Configuration = mplayer.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 Configuration = mplayer.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32 Configuration = mplayer.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 Configuration = mplayer.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 Configuration = mplayer.exe
W32/Forbot-BZ also creates its own service named "Windows Manage", with the
display name "Win32 Configuration".
Once installed, W32/Forbot-BZ connects to a preconfigured IRC server and joins
a channel from which an attacker can issue further commands. These commands can
cause the infected machine to perform any of the following actions:
flood a remote host (by either ping or HTTP)
start a SOCKS4 proxy server
start an HTTP server
start an FTP server
portscan randomly-chosen IP addresses
execute arbitrary commands
steal information such as passwords and product keys
upload/download files
The worm can spread to unpatched machines affected by the LSASS vulnerability
(see MS04-011) and through backdoors left open by the Troj/Optix family of
Trojans.
This IDE file also includes detection for:
W32/Rbot-OF
http://www.sophos.com/virusinfo/analyses/w32rbotof.html
W32/Rbot-OG
http://www.sophos.com/virusinfo/analyses/w32rbotog.html
Troj/Dloader-DN
http://www.sophos.com/virusinfo/analyses/trojdloaderdn.html
Troj/Boxed-L
http://www.sophos.com/virusinfo/analyses/trojboxedl.html
W32/Rbot-OH
http://www.sophos.com/virusinfo/analyses/w32rbotoh.html
W32/Famus-D
http://www.sophos.com/virusinfo/analyses/w32famusd.html
W32/Sdbot-QR
http://www.sophos.com/virusinfo/analyses/w32sdbotqr.html
Download the IDE file from:
http://www.sophos.com/downloads/ide/forbotbz.ide
Download all the IDE files available for the current version of
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:
Zip file:
http://www.sophos.com/downloads/ide/ides.zip
Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
