W32/Forbot-FG is a network worm with backdoor Trojan functionality for the Windows platform.
When first run, W32/Forbot-FG copies itself to the Windows system folder as winlogons.exe and sets the following registry entries in order to run each time a user logs on:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Win32 Drivers
"winlogons.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Drivers
"winlogons.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Win32 Drivers
"winlogons.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Win32 Drivers
"winlogons.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Drivers
"winlogons.exe"
W32/Forbot-FG also creates its own service named "shit", with the display name "Win32 Drivers".
Once installed, W32/Forbot-FG connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected machine to perform any of the following actions:
flood a remote host (by either ping or HTTP)
start a SOCKS4 proxy server
start an HTTP server
start an FTP server
portscan randomly-chosen IP addresses
execute arbitrary commands
steal information such as passwords and product keys
upload/download files
The worm can spread to unpatched machines affected by the LSASS vulnerability (see MS04-011) and through backdoors left open by the Troj/Optix Trojans.
W32/Forbot-FG also spreads through email. The worm harvests email addresses from files on the infected computer and from the Windows address book. Email sent by W32/Forbot-FG has the following properties:
Subject line:
*DETECTED* Online User Violation
*WARNING* Your email account is suspended
Email Account Suspension
Important Notification
Members Support
Notice of account limitation
Security measures
Warning Message: Your services near to be closed.
We have suspended your account
You are banned!!!
Your Account is Suspended
Your Account is Suspended For Security Reasons
Message text:
Some information about your [STRING] account is attached.
The [STRING] Support Team
Dear [STRING] Member,
We have temporarily suspended your email account [STRING].
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
See the attached details to reactivate your [STRING] account.
Sincerely,The [STRING] Support Team
Dear [STRING] Member,
Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel your membership.
Virtually yours,
The [STRING] Support Team
+++ Attachment: No Virus Found
+++ [STRING] Antivirus - www.[STRING]
Dear user [STRING],
You have successfully updated the password of your [STRING] account.
If you did not authorize this change or if you need assistance with your account, please contact [STRING] customer service at: <faked>@[STRING]
Thank you for using [STRING]!
The [STRING] Support Team
In the above message text templates, the [STRING] markers will be replaced by portions of the recipient's email address.
Attached file:
account-details.zip
account-info.zip
account-report.zip
accounts.zip
document.zip
email-details.zip
important-details.zip
information.zip
readme.zip
register.zip