W32/Forbot-DA is a worm which attempts to spread to remote network shares and computers vulnerable to common exploits. W32/Forbot-DA also contains backdoor functionality, allowing unauthorised remote access to the infected computer via the IRC network, while running in the background as a service process.
W32/Forbot-DA connects to a preconfigured IRC channel and awaits commands from a remote intruder. These include commands to:
steal information
delete network shares
reduce system security
start a proxy server
participate in DDoS attacks
exploit vulnerabilities
steal registration keys for computer games
harvest email addresses from the Windows address book and Instant Messenger configuration files
W32/Forbot-DA is a worm which attempts to spread to remote network shares and computers vulnerable to common exploits.
W32/Forbot-DA copies itself to the Windows system folder and creates the following registry entries to run itself automatically on log-on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HP Deskjet 500
HP_DeskJet_500.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HP Deskjet 500
HP_DeskJet_500.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
HP Deskjet 500
HP_DeskJet_500.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HP Deskjet 500
HP_DeskJet_500.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HP Deskjet 500
HP_DeskJet_500.exe
On NT based versions of Windows HP_DeskJet_500.exe is run as a new service named Level.Kicks-Ass.Org with a display name of "HP Deskjet 500"
New registry entries are created under
HKLM\SYSTEM\CurrentControlSet\Services\Level.Kicks-Ass.Org\