high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | February 2007 (4.14) |
| Protection available since | 18 December 2006 23:31:53 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Forbot-GN is a network and mass-mailing email worm with backdoor functionality for the Windows platform.
W32/Forbot-GN spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011) and ASN.1 (MS04-007).
Once installed, W32/Forbot-GN connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected computer to perform any of the following actions:
flood a remote host (by either ping or HTTP)
start a SOCKS4 proxy server
start an HTTP server
start an FTP server
portscan randomly-chosen IP addresses
execute arbitrary commands
steal information such as passwords and product keys
upload/download files
W32/Forbot-GN also spreads through email. The worm harvests email addresses from files on the infected computer and from the Windows Address Book. Emails sent by W32/Forbot-GN have the following properties:
Subject line:
*DETECTED* Online User Violation
*WARNING* Your email account is suspended
Email Account Suspension
Important Notification
Members Support
Notice of account limitation
Security measures
Warning Message: Your services near to be closed.
We have suspended your account
You are banned!!!
Your Account is Suspended
Your Account is Suspended For Security Reasons
Message text:
"Some information about your <STRING> account is attached.
The <STRING> Support Team"
"Dear <STRING> Member,
We have temporarily suspended your email account <STRING>.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
See the attached details to reactivate your <STRING> account.
Sincerely,The <STRING> Support Team"
"Dear <STRING> Member,
Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel your membership.
Virtually yours,
The <STRING> Support Team
+++ Attachment: No Virus Found
+++ <STRING> Antivirus - www.<STRING>"
"Dear user <STRING>,
You have successfully updated the password of your <STRING> account.
If you did not authorize this change or if you need assistance with your account, please contact <STRING> customer service at: <spoofed>@<STRING>
Thank you for using <STRING>!
The <STRING> Support Team"
In the above message text templates, the <STRING> markers will be replaced by portions of the recipient's email address.
Attached file:
account-details.zip
account-info.zip
account-report.zip
accounts.zip
document.zip
email-details.zip
important-details.zip
information.zip
readme.zip
register.zip
W32/Forbot-GN is a network and mass-mailing email worm with backdoor functionality for the Windows platform.
W32/Forbot-GN spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011) and ASN.1 (MS04-007).
Once installed, W32/Forbot-GN connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected computer to perform any of the following actions:
flood a remote host (by either ping or HTTP)
start a SOCKS4 proxy server
start an HTTP server
start an FTP server
portscan randomly-chosen IP addresses
execute arbitrary commands
steal information such as passwords and product keys
upload/download files
W32/Forbot-GN also spreads through email. The worm harvests email addresses from files on the infected computer and from the Windows Address Book. Emails sent by W32/Forbot-GN have the following properties:
Subject line:
*DETECTED* Online User Violation
*WARNING* Your email account is suspended
Email Account Suspension
Important Notification
Members Support
Notice of account limitation
Security measures
Warning Message: Your services near to be closed.
We have suspended your account
You are banned!!!
Your Account is Suspended
Your Account is Suspended For Security Reasons
Message text:
"Some information about your <STRING> account is attached.
The <STRING> Support Team"
"Dear <STRING> Member,
We have temporarily suspended your email account <STRING>.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
See the attached details to reactivate your <STRING> account.
Sincerely,The <STRING> Support Team"
"Dear <STRING> Member,
Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel your membership.
Virtually yours,
The <STRING> Support Team
+++ Attachment: No Virus Found
+++ <STRING> Antivirus - www.<STRING>"
"Dear user <STRING>,
You have successfully updated the password of your <STRING> account.
If you did not authorize this change or if you need assistance with your account, please contact <STRING> customer service at: <spoofed>@<STRING>
Thank you for using <STRING>!
The <STRING> Support Team"
In the above message text templates, the <STRING> markers will be replaced by portions of the recipient's email address.
Attached file:
account-details.zip
account-info.zip
account-report.zip
accounts.zip
document.zip
email-details.zip
important-details.zip
information.zip
readme.zip
register.zip
When first run W32/Forbot-GN copies itself to <System>\svchosts.exe and sets the following registry entries in order to run each time a user logs on:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Win32 Update
svchosts.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Update
svchosts.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Win32 Update
svchosts.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Win32 Update
svchosts.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Update
svchosts.exe
W32/Forbot-GN also creates its own service named "shit", with the display name "Win32 Update".
|
