W32/Fanbot-B

Please follow the instructions for removing worms.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Close the registry editor.

W32/Fanbot-B is a mass-mailing and P2P worm and IRC backdoor for the Windows platform.

W32/Fanbot-B spreads by mailing itself to email addresses found on the local computer, copying itself to P2P folders and exploiting the PNP (MS05-039) vulnerability.

Messages sent by the worm have the following characteristics:

Subject line: one of

Share Skype.
What is Skype?
Skype for Windows 1.4 - Have you got the new Skype?
Hello. We're Skype and we've got something we would like to share with you.
Your Account is Suspended.
*DETECTED* Online User Violation.
Your Account is Suspended For Security Reasons.
Warning Message: Your services near to be closed.
Important Notification!
Members Support.
Security measures.
Email Account Suspension.
Notice of account limitation.

Attached file: one of

Skype-document.zip
readme.zip
Skype.zip
Skype-details.zip
Skype-info.zip
Skype-stuffs.zip
important-details.zip
account-details.zip
email-details.zip
account-info.zip
document.zip
account-report.zip

or a few randomly-chosen letters followed by the ZIP extension.

The ZIP file contains a copy of W32/Fanbot-B with the same basename and a double extension.

W32/Fanbot-B forges its sender address, using the same domain as the recipient and a username chosen from the following:

support
administrator
mail
service
admin
info
register
webmaster
noreply

When first run W32/Fanbot-B copies itself to <Windows system folder>\remote.exe and installs
itself as a service with the display name "Remote Procedure Call (RPC) Remote".

W32/Fanbot-B may create the following autostart registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinShell
<path to worm>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WinShell
<path to worm>

W32/Fanbot-B makes copies of itself in folders whose names contain any of the following strings:

share
sharing
incoming
download
bear
donkey
htdocs
http
kazaa
lime
morpheus
mule
upload
soft

The copies will have the following names:

'K.jpg.pif
1001 Sex and more.rtf.exe
3D Studio Max 6 3dsmax.exe
angels.pif
activation_crack.exe
AcrobatReader_New.exe
ACDSee 10.exe
Adobe Photoshop 10 crack.exe
Adobe Photoshop 10 full.exe
Adobe Premiere 10.exe
Ahead Nero 8.exe
Altkins Diet.doc.exe
American Idol.doc.exe
Arnold Schwarzenegger.jpg.exe
Bifrost.scr
Butterfly.scr
BlackIce_Firewall_Enterpriseactivation_Crack.exe
Best Matrix Screensaver new.scr
Britney sex xxx.jpg.exe
Britney Spears and Eminem porn.jpg.exe
Britney Spears blowjob.jpg.exe
Britney Spears cumshot.jpg.exe
Britney Spears fuck.jpg.exe
Britney Spears full album.mp3.exe
Britney Spears porn.jpg.exe
Britney Spears Sexy archive.doc.exe
Britney Spears Song text archive.doc.exe
Britney Spears.jpg.exe
Britney Spears.mp3.exe
cool screensaver.scr
Clone DVD 6.exe
Cloning.doc.exe
Cracks & Warez Archiv.exe
doom2.doc.pif
dcom_patches.exe
dictionary.doc.exe
dolly_buster.jpg.pif
Dark Angels new.pif
Dictionary English 2004 - France.doc.exe
DivX 8.0 final.exe
Doom 3 release 2.exe
e.book.doc.exe
e-book.archive.doc.exe
eminem - lick my pussy.mp3.pif
E-Book Archive2.rtf.exe
Eminem blowjob.jpg.exe
Eminem full album.mp3.exe
Eminem Poster.jpg.exe
Eminem sex xxx.jpg.exe
Eminem Sexy archive.doc.exe
Eminem Song text archive.doc.exe
Eminem Spears porn.jpg.exe
Eminem.mp3.exe
firefox-1.6a1.en-US.win32.installer.exe
Full album all.mp3.pif
Gimp 1.8 Full with Key.exe
how to hack.doc.exe
Harry Potter 1-6 book.txt.exe
Harry Potter 5.mpg.exe
Harry Potter all e.book.doc.exe
Harry Potter e book.doc.exe
Harry Potter game.exe
Harry Potter.doc.exe
How to hack new.doc.exe
icq2005-final.exe
Internet Explorer 9 setup.exe
'K.jpg.pif
Kula.scr
Kula.jpg.pif
Kazaa Lite 4.0 new.exe
Kazaa new.exe
Keygen 4 all new.exe
Learn Programming 2004.doc.exe
Lightwave 9 Update.exe
matrix.scr
MSN7-final.exe
Maxthon_New.exe
max payne 2.crack.exe
Magix Video Deluxe 5 beta.exe
Matrix.mpg.exe
Microsoft Office 2003 Crack best.exe
Microsoft WinXP Crack full.exe
MS Service Pack 6.exe
nuke2004.exe
netsky source code.scr
Norton Antivirus 2005 beta.exe
Office_Crack.exe
Opera 11.exe
porno.scr
programming basics.doc.exe
Partitionsmagic 10 beta.exe
Porno Screensaver britney.scr
Rain.scr
rfc compilation.doc.exe
RealPlayer_New.exe
RFC compilation.doc.exe
Ringtones.doc.exe
Ringtones.mp3.exe
Serial.txt.exe
strippoker.exe
Super Dollfie.pif
Strip-Girl-2.0b.exe
Serials 2005_New.exe
Saddam Hussein.jpg.exe
Screensaver2.scr
Serials edition.txt.exe
Smashing the stack full.rtf.exe
Star Office 9.exe
TouchNet Browser 1.29b.exe
Teen Porn 15.jpg.pif
The Sims 4 beta.exe
UltraEdit-32 12.01 + Cracker.exe
Ulead Keygen 2004.exe
virii.scr
Visual Studio Net Crack all.exe
Winamp5.exe
Winxp_Crack.exe
Win Longhorn.doc.exe
Win Longhorn re.exe
WinAmp 13 full.exe
Windows 2000 Sourcecode.doc.exe
Windows 2003 crack.exe
Windows XP crack.exe
WinXP eBook newest.doc.exe
XXX hardcore pics.jpg.exe

W32/Fanbot-B terminates security related processes.

W32/Fanbot-B appends entries to the Windows HOSTS file in order to prevent access to several computer security websites.

W32/Fanbot-B runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

A patch for the operating system vulnerability exploited by W32/Fanbot-B can be obtained from Microsoft at:
MS05-039