W32/Forbot-DJ

Please follow the instructions for removing worms.

W32/Forbot-DJ is a Windows network worm which attempts to spread via network shares. The worm contains backdoor functions that allow unauthorised remote access to the infected computer via IRC channels.

Once installed, W32/Forbot-DJ attempts to setup an HTTP proxy server, remove connections to network shares, participate in denial-of-service (DOS) attacks and steal CD keys and email addresses when instructed to do so by a remote attacker.

The worm spreads to network shares with weak passwords and also by using the RPC-DCOM security exploit (MS03-039) and the LSASS security exploit (MS04-011). W32/Forbot-DJ is a Windows network worm which attempts to spread via network shares. The worm contains backdoor functions that allow unauthorised remote access to the infected computer via IRC channels.

W32/Forbot-DJ attempts to copy itself to network shares as msgfix.exe.

When run the worm moves itself to the Windows System folder as ctst.exe. On Windows NT-based operating systems, W32/Forbot-DJ creates its own service named "evloc" with the display name "Event Locator" and creates the following registry entries so
as to run itself on computer logon:

HKLM\SYSTEM\CurrentControlSet\Services\evloc\

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EVLOC\

Once installed, W32/Forbot-DJ attempts to setup an HTTP proxy server, remove connections to network shares, participate in denial-of-service (DoS) attacks, steal CD keys and email addresses when instructed to do so by a remote attacker.

The worm spreads to network shares with weak passwords and also by using the RPC-DCOM security exploit (MS03-039) and the LSASS security exploit (MS04-011).