W32/Forbot-EF is a worm which attempts to spread to remote network shares and computers vulnerable to common exploits. W32/Forbot-EF also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via the IRC network, while running in the background as a service process.
W32/Forbot-EF connects to a preconfigured IRC channel and awaits commands from a remote intruder. These include commands to steal information, delete network shares, reduce system security, start a proxy server, participate in DDoS attacks, exploit vulnerabilities, steal registration keys for computer games and harvest email addresses
from the Windows address book and Instant Messenger configuration files.
W32/Forbot-EF copies itself to the Windows system folder and creates the following registry entries to run itself automatically on log-on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
AVSTRT =
navpsrvc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
AVSTRT =
navpsrvc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
AVSTRT =
navpsrvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
AVSTRT =
navpsrvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
AVSTRT =
navpsrvc.exe
On NT based versions of Windows navpsrvc.exe is run as a new service named "GambitPadSvc" with a display name of "AVSTRT".
New registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\GambitPadSvc\