[virusinfo] W32/Forbot-ER

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Mon, 07 Mar 2005 08:49:13 -0800

From; Sophos Alert System:

Name: W32/Forbot-ER
Aliases: Backdoor.Win32.Wootbot.u
Type: Win32 worm
Date: 7 March 2005

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the April 2005 (3.92) release of Sophos Anti-Virus.

Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.


Information about W32/Forbot-ER can be found at:
http://www.sophos.com/virusinfo/analyses/w32forboter.html

W32/Forbot-ER is a network worm which attempts to spread via network shares. 
The worm contains backdoor functions that allow unauthorised remote access to 
the infected computer via IRC channels. 
W32/Forbot-ER spreads to unpatched computers affected by the LSASS security 
exploit (MS04-011). 
When run the worm moves itself to the Windows System folder as instantmsgrs.exe 
and creates the following registry entries so as to run itself on computer 
logon: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
mousedrive.exe
instantmsgrs.exe 
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
mousedrive.exe
instantmsgrs.exe 
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
mousedrive.exe
instantmsgrs.exe 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
mousedrive.exe
instantmsgrs.exe 
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
mousedrive.exe
instantmsgrs.exe 
Once installed, W32/Forbot-ER will attempt to setup an HTTP and a SOCKS4 proxy 
server, delete connections to network shares, participate in denial-of-service 
(DoS) attacks, harvest email addresses and steal CD keys when instructed to do 
so by a remote attacker. 

This IDE file also includes detection for:

Troj/Prutec-B
http://www.sophos.com/virusinfo/analyses/trojprutecb.html
Troj/Prutec-C
http://www.sophos.com/virusinfo/analyses/trojprutecc.html
Troj/Agent-CJ
http://www.sophos.com/virusinfo/analyses/trojagentcj.html
W32/Aimdes-A
http://www.sophos.com/virusinfo/analyses/w32aimdesa.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/forboter.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Forbot-ER

1. Home
2. virusinfo
3. Archive
4. 03-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---