high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | March 2005 (3.91) |
| Protection available since | 28 January 2005 09:02:30 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Forbot-DY is a Windows network worm which attempts to spread via network shares. The worm contains backdoor functions that allow unauthorised remote access to the infected computer via IRC channels.
W32/Forbot-DY attempts to copy itself to network shares as msgfix.exe.The worm also tries to create the file app_result.dll on mySQL servers once it has gained access.
When run, the worm moves itself to the Windows System folder as spoolcll.exe. On Windows NT-based operating systems, W32/Forbot-DY creates its own service named "evmon" with the display name "Event Monitor" and creates the following registry entries so as to run itself on computer logon:
HKLM\SYSTEM\CurrentControlSet\Services\evmon
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EVMON
Once installed, W32/Forbot-DY attempts to setup a HTTP proxy server, a SOCKS4 server, remove connections to network shares, participate in denial-of-service (DoS) attacks, steal CD keys and email addresses when instructed to do so by a remote attacker.
The worm tries to spread to network shares with weak passwords and also by using the RPC-DCOM security exploit (MS03-039) and the LSASS security exploit (MS04-011).
|
