W32/Forbot-JG

Please follow the instructions for removing worms.

W32/Forbot-JG is a network worm with backdoor Trojan functionality for the Windows platform.

When first run, W32/Forbot-JG copies itself to the Windows system folder as sdsys.exe and sets the following registry entries in order to run each time a user logs on:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Updater
"sdsys.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Windows Updater
"sdsys.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Updater
"sdsys.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Updater
"sdsys.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Windows Updater
"sdsys.exe"

Once installed, W32/Forbot-JG connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected computer to perform any of the following actions:

flood a remote host (by either ping or HTTP)
start a SOCKS4 proxy server
start an HTTP server
start an FTP server
portscan randomly-chosen IP addresses
execute arbitrary commands
steal information such as passwords and product keys
upload/download files

The worm can spread to unpatched computers affected by various operating system vulnerabilities such as LSASS (MS04-011), PNP (MS05-039) and ASN.1 (MS04-007) and through backdoors left open by the Troj/Optix Trojans.

Sophos's anti-virus products include Genotype™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Forbot-JG (detected as W32/Forbot-Fam) since version 3.98.