W32/Forbot-FX is a network worm with backdoor Trojan functionality for the Windows platform.
When first run, W32/Forbot-FX copies itself to the Windows system folder as sys32.exe and sets the following registry entries in order to run each time a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
System Net
"sys32.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
System Net
"sys32.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
System Net
"sys32.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System Net
"sys32.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
System Net
"sys32.exe"
W32/Forbot-FX also creates its own service named "Win32", with the display name "System Net".
Once installed, W32/Forbot-FX connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected machine to perform any of the following actions:
flood a remote host (by either ping or HTTP)
start a SOCKS4 proxy server
start an HTTP server
start an FTP server
portscan randomly-chosen IP addresses
execute arbitrary commands
steal information such as passwords and product keys
upload/download files
open remote shell access
The worm can spread to network shares protected by weak passwords, to unpatched machines affected by the LSASS vulnerability (see MS04-011) and through backdoors left open by the Troj/Optix Trojans.