W32/Forbot-GN

Category: Viruses and Spyware Protection available since:18 Dec 2006 00:00:00 (GMT)
Type: Win32 worm Last Updated:18 Dec 2006 00:00:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Forbot-GN is a network and mass-mailing email worm with backdoor functionality for the Windows platform.

W32/Forbot-GN spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011) and ASN.1 (MS04-007).

Once installed, W32/Forbot-GN connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected computer to perform any of the following actions:

flood a remote host (by either ping or HTTP)
start a SOCKS4 proxy server
start an HTTP server
start an FTP server
portscan randomly-chosen IP addresses
execute arbitrary commands
steal information such as passwords and product keys
upload/download files

W32/Forbot-GN also spreads through email. The worm harvests email addresses from files on the infected computer and from the Windows Address Book. Emails sent by W32/Forbot-GN have the following properties:

Subject line:

*DETECTED* Online User Violation
*WARNING* Your email account is suspended
Email Account Suspension
Important Notification
Members Support
Notice of account limitation
Security measures
Warning Message: Your services near to be closed.
We have suspended your account
You are banned!!!
Your Account is Suspended
Your Account is Suspended For Security Reasons

Message text:

"Some information about your <STRING> account is attached.

The <STRING> Support Team"

"Dear <STRING> Member,

We have temporarily suspended your email account <STRING>.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.

See the attached details to reactivate your <STRING> account.

Sincerely,The <STRING> Support Team"

"Dear <STRING> Member,
Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.

If you choose to ignore our request, you leave us no choice but to cancel your membership.

Virtually yours,
The <STRING> Support Team

+++ Attachment: No Virus Found
+++ <STRING> Antivirus - www.<STRING>"

"Dear user <STRING>,

You have successfully updated the password of your <STRING> account.

If you did not authorize this change or if you need assistance with your account, please contact <STRING> customer service at: <spoofed>@<STRING>

Thank you for using <STRING>!
The <STRING> Support Team"

In the above message text templates, the <STRING> markers will be replaced by portions of the recipient's email address.

Attached file:

account-details.zip
account-info.zip
account-report.zip
accounts.zip
document.zip
email-details.zip
important-details.zip
information.zip
readme.zip
register.zip W32/Forbot-GN is a network and mass-mailing email worm with backdoor functionality for the Windows platform.

W32/Forbot-GN spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011) and ASN.1 (MS04-007).

Once installed, W32/Forbot-GN connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected computer to perform any of the following actions:

flood a remote host (by either ping or HTTP)
start a SOCKS4 proxy server
start an HTTP server
start an FTP server
portscan randomly-chosen IP addresses
execute arbitrary commands
steal information such as passwords and product keys
upload/download files

W32/Forbot-GN also spreads through email. The worm harvests email addresses from files on the infected computer and from the Windows Address Book. Emails sent by W32/Forbot-GN have the following properties:

Subject line:

*DETECTED* Online User Violation
*WARNING* Your email account is suspended
Email Account Suspension
Important Notification
Members Support
Notice of account limitation
Security measures
Warning Message: Your services near to be closed.
We have suspended your account
You are banned!!!
Your Account is Suspended
Your Account is Suspended For Security Reasons

Message text:

"Some information about your <STRING> account is attached.

The <STRING> Support Team"

"Dear <STRING> Member,

We have temporarily suspended your email account <STRING>.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.

See the attached details to reactivate your <STRING> account.

Sincerely,The <STRING> Support Team"

"Dear <STRING> Member,
Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.

If you choose to ignore our request, you leave us no choice but to cancel your membership.

Virtually yours,
The <STRING> Support Team

+++ Attachment: No Virus Found
+++ <STRING> Antivirus - www.<STRING>"

"Dear user <STRING>,

You have successfully updated the password of your <STRING> account.

If you did not authorize this change or if you need assistance with your account, please contact <STRING> customer service at: <spoofed>@<STRING>

Thank you for using <STRING>!
The <STRING> Support Team"

In the above message text templates, the <STRING> markers will be replaced by portions of the recipient's email address.

Attached file:

account-details.zip
account-info.zip
account-report.zip
accounts.zip
document.zip
email-details.zip
important-details.zip
information.zip
readme.zip
register.zip

When first run W32/Forbot-GN copies itself to <System>\svchosts.exe and sets the following registry entries in order to run each time a user logs on:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Win32 Update
svchosts.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Update
svchosts.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Win32 Update
svchosts.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Win32 Update
svchosts.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Update
svchosts.exe

W32/Forbot-GN also creates its own service named "shit", with the display name "Win32 Update".

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy