Sophos

W32/Forbot-GB

Aliases
  • Backdoor.Win32.Wootbot.cf
  • W32/Sdbot.worm.gen.bj
  • virus
  • W32.Spybot.Worm
  • WORM_RBOT.CHN
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 14 October 2005 09:18:36 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Forbot-GB is a worm and IRC backdoor Trojan for the Windows platform.

W32/Forbot-GB spreads to other network computers by exploiting common buffer overflow vulnerabilities, including PNP (MS05-039).

W32/Forbot-GB runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/Forbot-GB copies itself to <System>\msdt32.exe.

The following registry entries are created to run msdt32.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Norton Drive Protection
msdt32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Norton Drive Protection
msdt32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Norton Drive Protection
msdt32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Norton Drive Protection
msdt32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Norton Drive Protection
msdt32.exe

The file msdt32.exe is registered as a new file system driver service named "System Event Logs", with a display name of "Norton Drive Protection". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\System Event Logs\

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer