high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 19 January 2005 13:37:33 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Change any data that may have become compromised.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
and remove any reference to any file you deleted.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entries:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunOnce\
and remove any reference to any file you deleted.
Close the registry editor.
More Information
W32/Forbot-DP is a member of the Forbot family of network worms with backdoor functionality for the Windows platform.
The backdoor component connects to an IRC channel and awaits commands from a remote user that include the following:
Take part in DDoS attacks
Steal product registration information
Scan other machines for vulnerabilities
Harvest information from files on the hard disk
Act as a server (FTP, HTTP, SOCKS4)
W32/Forbot-DP copies itself to the Windows system folder with the filename atitax.exe, and in order to be able to run automatically when Windows starts up sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\anything
"ATITAX.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\anything
"ATITAX.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\anything
"ATITAX.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\anything
"ATITAX.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\anything
"ATITAX.exe"
W32/Forbot-DP also modifies registry settings by adding a number of entries related to the established background service under the following entries:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ATI\
HKLM\SYSTEM\CurrentControlSet\Services\ATI\
HKLM\SYSTEM\CurrentControlSet\Services\ATI\Enum\
HKLM\SYSTEM\CurrentControlSet\Services\ATI\Security
|
