W32/Forbot-DM is a network worm with backdoor Trojan functionality.
W32/Forbot-DM spreads to computers by exploiting the LSASS (MS04-011) vulnerability.
W32/Forbot-DM will attempt to disable anti-virus and security related processes.
W32/Forbot-DM is a network worm with backdoor Trojan functionality.
W32/Forbot-DM spreads to computers by exploiting the LSASS (MS04-011) vulnerability.
When first run, W32/Forbot-DM copies itself to the Windows System folder as CIPSN.EXE. In order to run automatically each time a user logs on, W32/Forbot-DM sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Runprocess
cipsn.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\Runprocess
cipsn.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Software\Microsoft\Windows\CurrentVersion\Runprocess
cipsn.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Runprocess
cipsn.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\Runprocess
cipsn.exe
On NT based versions of Windows, W32/Forbot-DM is run as a new service named cipsn.exe. The service has a display name of "Software\Microsoft\Windows\CurrentVersion\Runprocess"
Registry entries are created under the following registry branch:
HKLM\SYSTEM\CurrentControlSet\Services\cipsn.exe
The worm runs continuously in the background providing backdoor access to the infected computer through IRC channels.
W32/Forbot-DM may alter the following registry entry in order to enable/disable DCOM:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM
W32/Forbot-DM will attempt to disable anti-virus and security related processes.