W32/Forbot-AM is a worm which attempts to spread to remote network shares.
W32/Forbot-AM also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Forbot-AM worm copies itself to the Windows system folder and creates registry entries at the following locations in order to run on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Secure = Messenger.NET Service
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoft Secure = Messenger.NET ServicE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Secure = Messenger.NET Service
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Secure = Messenger.NET Service
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoft Secure = Messenger.NET Service
W32/Forbot-AM steals game registration details, Instant Messenger login details and system information details from the registry, as well as taking email addresses from the Windows Address Book.
W32/Forbot-AM also deletes network shares.
W32/Forbot-AM attempts to spread to network machines vulnerable to various exploits.