W32/Forbot-CE

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	December 2004 (3.88)
Protection available since	8 November 2004 22:18:21 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Forbot-CE is a network worm with backdoor functionality.

When first run W32/Forbot-CE copies itself to the Windows system folder and creates the following registry entries to run automatically on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MSN ang = "cssrss.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
MSN ang = "cssrss.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MSN ang = "cssrss.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
MSN ang = "cssrss.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
MSN ang = "cssrss.exe"

Each time W32/Forbot-CE runs it tries to connect to a remote IRC server and join a predefined channel. W32/Forbot-CE then listens on the channel for instructions specified by a remote intruder,

W32/Forbot-CE attempts to spread to network computers using various exploits and may try to delete network shares.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Forbot-CE

Summary

Action

More Information