high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 27 October 2004 09:30:57 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Forbot-BX is a member of the Forbot family of worms with backdoor functionality for the Windows 2000/XP platforms.
W32/Forbot-BX attempts to spread by coping itself to remote network shares and at the same time provides unauthorized remote access to the infected computer via IRC channels while running in the background as a service process.
When executed W32/Forbot-BX copies itself to the Windows system32 folder with the filename AvpG.exe and in order to be able to run when Windows starts up sets the following registry entries with the path to the copy:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32 Usb Driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 Usb Driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32 Usb Driver
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Win32 Usb Driver
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 Usb Driver
Also W32/Forbot-BX creates a number of entries under the following registry entries in association with the installed background service:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32_USB_DRIVER
HKLM\SYSTEM\CurrentControlSet\Services\Win32 Usb Driver
|
