high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | March 2005 (3.91) |
| Protection available since | 25 January 2005 13:37:32 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
To renable DCOM you can edit the registry, but it's better to use Dcomcnfg.exe. See Microsoft article 825750 for details.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
and remove any reference to any file you deleted.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entries:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunOnce\
and remove any reference to any file you deleted.
Close the registry editor.
More Information
W32/Forbot-DT is a network worm with backdoor Trojan functionality.
W32/Forbot-DT spreads to computers by exploiting the LSASS (MS04-011) vulnerability.
When first run, W32/Forbot-DT copies itself to the Windows System folder as SDK0MCORE.EXE. In order to run automatically each time a user logs on, W32/Forbot-DT sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
sdkupdate22
SDK0mCORE.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
sdkupdate22
SDK0mCORE.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
sdkupdate22
SDK0mCORE.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
sdkupdate22
SDK0mCORE.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
sdkupdate22
SDK0mCORE.exe
On NT based versions of Windows, W32/Forbot-DT is run as a new service named "Action Date". The service has a display name of "sdkupdate22".
Registry entries are created under the following registry branch:
HKLM\SYSTEM\CurrentControlSet\Services\Action Date
The worm runs continuously in the background providing backdoor access to the infected computer through IRC channels.
W32/Forbot-DT may alter the following registry entry in order to enable/disable DCOM:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM
W32/Forbot-DT will attempt to disable anti-virus and security related processes
|
