W32/Forbot-BR is a network worm and IRC backdoor Trojan for the Windows platform.
When first run, W32/Forbot-BR copies itself to the Windows system folder with the filename windows.exe
In order to run on system start, the worm creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
NDIS Adapter = windows.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
NDIS Adapter = windows.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
NDIS Adapter = windows.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
NDIS Adapter = windows.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
NDIS Adapter = windows.exe
The backdoor component connects to an IRC channel and awaits commands from a remote user. The Trojan can then be instructed to:
take part in DDoS attacks
steal product registration information
scan other machines for vulnerabilities
harvest information from files on the hard disk
act as a server (FTP, HTTP, SOCKS4)