W32/Forbot-ES

Please follow the instructions for removing worms.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entries:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunOnce\

and remove any reference to any file you deleted.

Close the registry editor.

W32/Forbot-ES is a member of the W32/Forbot family of internet worms that spread by scanning for and exploiting various vulnerabilities in the Windows operating system.

In order to run automatically when Windows starts up the worm copies itself to the file win128.exe in the Windows system folder and adds the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows 128 Module
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows 128 Module

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Windows
128 Module

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows 128 Module

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
Windows 128 Module

The worm also registers itself as the service process "Windows 128 Module".

W32/Forbot-ES has backdoor functionality which allows a malicious user remote control over an infected machine via the IRC network.