W32/Forbot-FP is a worm and IRC backdoor Trojan for the Windows platform.
W32/Forbot-FP spreads to other network computers infected with Troj/Optix and by exploiting common buffer overflow vulnerabilities, including LSASS (MS04-011) and ASN.1 (MS04-007).
W32/Forbot-FP runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Forbot-FP includes functionality to:
- steal confidential information
- carry out DDoS flooder attacks
- silently download, install and run new software
When first run W32/Forbot-FP copies itself to <System>\WinV.exe.
The following registry entries are created to run WinV.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Update 64
WinV.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Update 64
WinV.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Windows Update 64
WinV.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Windows Update 64
WinV.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Update 64
WinV.exe
The file WinV.exe is registered as a new file system driver service named "Win32", with a display name of "Windows Update 64". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Win32\
The following patches for the operating system vulnerabilities exploited by W32/Forbot-FP can be obtained from the Microsoft website:
MS04-011
MS04-007