W32/Forbot-CY is a network worm which attempts to spread via network shares. The worm contains backdoor functions that allow unauthorised remote access to the infected computer via IRC channels.
Once installed, W32/Forbot-CY will attempt to setup an HTTP proxy server, delete connections to network shares, particpate in denial-of-service (DoS) attacks and steal CD keys when instructed to do so by a remote attacker.
W32/Forbot-CY can spread to unpatched machines affected by the LSASS security exploit (MS04-011).
W32/Forbot-CY is a network worm which attempts to spread via network shares. The worm contains backdoor functions that allow unauthorised remote access to the infected computer via IRC channels.
When run W32/Forbot-CY moves itself to the Windows System folder as NAVSSE.exe and creates the following registry entries so as to run itself on computer logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
bootsec
NAVSSE.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
bootsec
NAVSSE.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
bootsec
NAVSSE.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
bootsec
NAVSSE.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
bootsec
NAVSSE.exe
In Windows NT-based operating systems, W32/Forbot-CY creates its own service named "69.93.150.155" with the display name "bootsec" and creates the following registry entries:
HKLM\SYSTEM\CurrentControlSet\Services\69.93.150.155
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_69.93.150.155
Once installed, W32/Forbot-CY will attempt to setup an HTTP proxy server, delete connections to network shares, particpate in denial-of-service (DoS) attacks and steal CD keys when instructed to do so by a remote attacker.
W32/Forbot-CY can spread to unpatched machines affected by the LSASS security exploit (MS04-011).