[virusinfo] W32/Forbot-EP
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Sat, 05 Mar 2005 09:08:32 -0800
From; Sophos Alert System:
Name: W32/Forbot-EP
Aliases: Backdoor.Win32.Wootbot.gen
Type: Win32 worm
Date: 5 March 2005
A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the April 2005 (3.92) release of Sophos Anti-Virus.
Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.
At the time of writing, Sophos has received a small number of
reports of this worm from the wild.
Information about W32/Forbot-EP can be found at:
http://www.sophos.com/virusinfo/analyses/w32forbotep.html
W32/Forbot-EP is a worm which attempts to spread to remote network shares and
computers vulnerable to common exploits. W32/Forbot-EP also contains backdoor
Trojan functionality, allowing unauthorised remote access to the infected
computer via the IRC network, while running in the background as a service
process.
W32/Forbot-EP connects to a preconfigured IRC channel and awaits commands from
a remote intruder. These include commands to steal information, delete network
shares, reduce system security, start a proxy server, participate in DDoS
attacks, exploit vulnerabilities, steal registration keys for computer games
and harvest email addresses from the Windows address book and Instant Messenger
configuration files.
W32/Forbot-EP copies itself to the Windows system folder and creates the
following registry entries to run itself automatically on log-on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Domain Name Drivers =
windns.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Windows Domain Name Drivers =
windns.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Domain Name Drivers =
windns.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Domain Name Drivers =
windns.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Windows Domain Name Drivers =
windns.exe
On NT based versions of Windows (XP,2000,NT) windns.exe is run as a new service
named "IEXPLORER-Drivers" with a display name of "Windows Domain Name Drivers".
New registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\IEXPLORER-Drivers
This IDE file also includes detection for:
W32/Kipis-J
http://www.sophos.com/virusinfo/analyses/w32kipisj.html
W32/Codbot-H
http://www.sophos.com/virusinfo/analyses/w32codboth.html
W32/Agobot-AMI
http://www.sophos.com/virusinfo/analyses/w32agobotami.html
Troj/LowZone-Q
http://www.sophos.com/virusinfo/analyses/trojlowzoneq.html
Troj/Bancban-BR
http://www.sophos.com/virusinfo/analyses/trojbancbanbr.html
Troj/Borodldr-A
http://www.sophos.com/virusinfo/analyses/trojborodldra.html
Troj/Bancos-BJ
http://www.sophos.com/virusinfo/analyses/trojbancosbj.html
Troj/Padodor-X
http://www.sophos.com/virusinfo/analyses/trojpadodorx.html
Troj/Hexem-A
http://www.sophos.com/virusinfo/analyses/trojhexema.html
Download the IDE file from:
http://www.sophos.com/downloads/ide/forbotep.ide
Download all the IDE files available for the current version of
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:
Zip file:
http://www.sophos.com/downloads/ide/ides.zip
Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] W32/Forbot-EP
