Sophos

W32/Forbot-AS

Aliases
  • Backdoor.Win32.Wootbot.gen
  • WORM_WOOTBOT.GEN
  • W32/Sdbot.worm.gen.u
  • Exploit-MS04-011.gen
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
  • Chat programs
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 30 September 2004 09:41:37 (GMT)
Detected by All Sophos products
Sophos beta program Sophos beta program
Register now for our latest beta tests
  • Endpoint Security and Control 9.0
  • Small business solutions 4.0

Action

More Information

W32/Forbot-AS is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.

W32/Forbot-AS copies itself to the Windows system folder as NAVSW.EXE and creates entries in the registry at the following locations so as to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Norton SpySweeper AutoUpdate = navsw.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Norton SpySweeper AutoUpdate = navsw.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Norton SpySweeper AutoUpdate = navsw.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Norton SpySweeper AutoUpdate = navsw.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Norton SpySweeper AutoUpdate = navsw.exe

W32/Forbot-AS also creates its own service named "Norton NASW", with the display name "Norton SpySweeper AutoUpdate".

W32/Forbot-AS attempts to spread to network machines using various exploits including the LSASS vulnerability (see MS04-011). The worm may also act as a proxy.

W32/Forbot-AS may download and execute code. The worm may also steal keys for software and delete network shares.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer