high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 3 March 2005 06:05:01 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Forbot-EO is a worm which attempts to spread to remote network shares and computers vulnerable to common exploits. W32/Forbot-EO also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via the IRC network, while running in the background as a service process.
W32/Forbot-EO connects to a preconfigured IRC channel and awaits commands from a remote intruder. These include commands to steal information, delete network shares, reduce system security, start a proxy server, participate in DDoS attacks, exploit vulnerabilities, steal registration keys for computer games and harvest email addresses from the Windows address book and Instant Messenger configuration files.
W32/Forbot-EO copies itself to the Windows system folder and creates the following registry entries to run itself automatically on log-on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Win32SysV
xin.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Win32SysV
xin.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Win32SysV
xin.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Win32SysV
xin.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Win32SysV
xin.exe
On NT based versions of Windows xin.exe is run as a new service named "xin" with a display name of "Win32SysV".
New registry entries are created under
HKLM\SYSTEM\CurrentControlSet\Services\xin
|
