high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 23 February 2005 14:02:43 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Forbot-EH is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels.
W32/Forbot-EH copies itself to the Windows system folder as MSVC32.EXE and attempts to create a service with a Service Name and Display Name of "MySLScan" set to run the copy on system startup.
W32/Forbot-EH also sets the following registry entries so as to run itself on system startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
MySLScan =
"msvc32.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
MySLScan =
"msvc32.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MySLScan =
"msvc32.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
MySLScan =
"msvc32.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MySLScan =
"msvc32.exe"
W32/Forbot-EH may attempt to terminate certain processes related to security and anti-virus applications.
W32/Forbot-EH spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Forbot-EH may attempt to sets the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Forbot-EH may attempt to delete network shares on the host computer.
|
