high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | November 2004 (3.87) |
| Protection available since | 29 September 2004 07:53:18 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing W32/Forbot-AO.
More Information
W32/Forbot-AO is an IRC backdoor Trojan and network worm.
W32/Forbot-AO is capable of spreading to other computers via network shares and by using various exploits, including the LSASS vulnerability (see Microsoft Security bulletin MS04-011).
When first run W32/Forbot-AO moves itself to the Windows system folder as svhost.exe and creates the following registry entries to run svhost.exe on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\
Run = svhost.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\
Run = svhost.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\
Run = svhost.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\
Run = svhost.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKEY_LOCAL_MACHINE\\\OFTWARE\\Microsoft\\Windows\\CurrentVersion\\
Run = svhost.exe
and the new service will have a display name of:
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\
Run
Each time W32/Forbot-AO is run it attempts to connect to a remote IRC server and join a specific channel. The Trojan then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.
|
