W32/Forbot-DV is a member of the Forbot family of network worms with backdoor functionality.
The backdoor component connects to an IRC channel and awaits commands from a remote user.
W32/Forbot-DV is a member of the Forbot family of network worms with backdoor functionality.
The backdoor component connects to an IRC channel and awaits commands from a remote user that include the following:
take part in DDoS attacks
steal product registration information
scan other machines for vulnerabilities
harvest information from files on the hard disk
act as a server (FTP, HTTP, SOCKS4)
W32/Forbot-DV copies itself to the Windows system folder with the filename MsConfiG.exe, and in order to be able to run automatically when Windows starts up sets the registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Java Virtual Machine
MsConfiG.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Microsoft Java Virtual Machine
MsConfiG.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Java Virtual Machine
MsConfiG.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Java Virtual Machine
MsConfiG.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Microsoft Java Virtual Machine
MsConfiG.exe
W32/Forbot-DV also modifies the registry settings by adding a number of entries related to the established background service under the following entries:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRAECO.
SYTES.NET
HKLM\SYSTEM\CurrentControlSet\Services\draeco.sytes.net
HKLM\SYSTEM\CurrentControlSet\Services\draeco.sytes.net\Enum
HKLM\SYSTEM\CurrentControlSet\Services\draeco.sytes.net\Security