W32/Forbot-EC

Please follow the instructions for removing worms.

W32/Forbot-EC is a network worm with backdoor functionality for the Windows platform. The worm allows unauthorised remote access to the infected system via IRC channels while running in the background as a service process. The worm may also spread by DCC.

W32/Forbot-EC exploits various vulnerabilities, including the LSASS vulnerability (see MS04-011).

The backdoor functionality of the worm includes being able to act as a proxy, sniff packets, download updates, delete network shares and steal keys for various software products. W32/Forbot-EC is a network worm with backdoor functionality for the Windows platform. The worm allows unauthorised remote access to the infected system via IRC channels while running in the background as a service process. The worm may also spread by DCC.

W32/Forbot-EC copies itself to the Windows system folder as EMP32.EXE and creates the following registry entries in order to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Help Temp Files
emp32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Help Temp Files
emp32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Help Temp Files
emp32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Help Temp Files
emp32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Help Temp Files
emp32.exe

W32/Forbot-EC also registers itself as a service named "addicted-to.druggs.info" with the display name "Help Temp Files".

W32/Forbot-EC exploits various vulnerabilities, including the LSASS vulnerability (see MS04-011).

The backdoor functionality of the worm includes being able to act as a proxy, sniff packets, download updates, delete network shares and steal keys for various software products.