W32/Forbot-AO is an IRC backdoor Trojan and network worm.
W32/Forbot-AO is capable of spreading to other computers via network shares and by using various exploits, including the LSASS vulnerability (see Microsoft Security bulletin MS04-011).
When first run W32/Forbot-AO moves itself to the Windows system folder as svhost.exe and creates the following registry entries to run svhost.exe on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\
Run = svhost.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\
Run = svhost.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\
Run = svhost.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\
Run = svhost.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKEY_LOCAL_MACHINE\\\OFTWARE\\Microsoft\\Windows\\CurrentVersion\\
Run = svhost.exe
and the new service will have a display name of:
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\
Run
Each time W32/Forbot-AO is run it attempts to connect to a remote IRC server and join a specific channel. The Trojan then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.