W32/Forbot-FI is a network worm with backdoor Trojan functionality for the Windows platform.
Once installed, W32/Forbot-FI connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected computer to perform any of the following actions:
flood a remote host (by either ping or HTTP)
start a SOCKS4 proxy server
start an HTTP server
start an FTP server
portscan randomly-chosen IP addresses
execute arbitrary commands
steal information such as passwords and product keys
upload/download files
W32/Forbot-FI is a network worm with backdoor Trojan functionality for the Windows platform.
Once installed, W32/Forbot-FI connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected computer to perform any of the following actions:
flood a remote host (by either ping or HTTP)
start a SOCKS4 proxy server
start an HTTP server
start an FTP server
portscan randomly-chosen IP addresses
execute arbitrary commands
steal information such as passwords and product keys
upload/download files
The worm can spread to unpatched computers affected by the LSASS vulnerability (see MS04-011) and through backdoors left open by the Troj/Optix Trojans.
When first run, W32/Forbot-FI copies itself to the Windows system folder as winlogons.exe and sets the following registry entries in order to run each time a user logs on:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Update 32
"winlogons.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Windows Update 32
"winlogons.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Update 32
"winlogons.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Update 32
"winlogons.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Windows Update 32
"winlogons.exe"
W32/Forbot-FI also creates its own service named "Win32", with the display name "Windows Update 32".