W32/Forbot-F is a network worm with backdoor functionality.
In order to run automatically when Windows starts up the worm copies
itself to the Windows system folder and creates the following registry
entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32 USB2 Driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 USB2 Driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32 USB2 Driver
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32 USB2 Driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 USB2 Driver
W32/Forbot-F also creates its own service named "Microsoft Config", with
display name "Win32 USB2 Driver".
In order to avoid detection, the worm attempts to terminate several
security-related processes.
Once installed, W32/Forbot-F connects to a preconfigured IRC server and joins
a channel from which an attacker can issue further commands. These
commands can cause the infected machine to perform any of the following actions:
flood a remote host (by either ping or HTTP)
start a SOCKS4 proxy server
start an HTTP server
start an FTP server
portscan randomly-chosen IP addresses
execute arbitrary commands
upload/download files
The worm can spread to unpatched machines affected by the LSASS
vulnerability (see MS04-011) and machines infected by any of the Troj/Optix
family of backdoor Trojans.