W32/Forbot-BB

Aliases	Backdoor.Win32.Wootbot.gen
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


How it spreads	Network shares
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	11 October 2004 10:26:02 (GMT)
Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

W32/Forbot-BB is a worm and backdoor for the Windows platform. The worm spreads using network shares.

The backdoor component listens for instructions from a remote attacker.

W32/Forbot-BB copies itself to the Windows system folder as aim.exe and adds the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Aim Quick Start = "Aim.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Aim Quick Start = "Aim.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Aim Quick Start = "Aim.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Aim Quick Start = "Aim.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Aim Quick Start = "Aim.exe"

The worm also installs itself as a service named "Aim Quick Start".

W32/Forbot-BB attempts to disable other worms by deleting their registry entries and files.

The backdoor allows a remote attacker to control the infected computer, providing functions such as:

File transfer
Service control
Distributed denial of service attacks

Get reports about the latest virus and spyware threats delivered to your computer