high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 16 August 2004 08:09:31 (GMT) |
| Last updated | 13 October 2004 07:25:23 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
You will also need to edit the following registry entries, if present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32 USB Driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB Driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32 USB Driver
and remove any reference to any file you deleted.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKCU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\Win32 USB Driver
HKCU\[code number]\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB Driver
and remove any reference to any file you deleted.
Close the registry editor.
Download and install the Microsoft patches mentioned. On standalone computers, update with all relevant security patches from Windows update.
More Information
W32/Forbot-J is a network worm with IRC backdoor functionality.
In order to run automatically when Windows starts up the worm copies itself to the file svchosting.exe in the Windows system folder and adds the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32 USB Driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB Driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32 USB Driver
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Win32 USB Driver
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB Driver
Once the worm is installed it connects to a preconfigured IRC server and awaits further instructions. These instructions can cause the worm to perform any of the following actions:
- flood another machine
- redirect ports
- start an HTTP proxy server
- start an FTP proxy server
- start a SOCKS4 proxy server
- transfer files
- steal CD keys
- search for other infectable machines
W32/Forbot-J attempts to spread to other machines that are either vulnerable to the LSASS exploit (see MS04-011) or infected by the Troj/Optix backdoor.
|
