high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | April 2005 (3.92) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/Forbot-EJ.
More Information
W32/Forbot-EJ is a network worm with backdoor functionality for the Windows platform.
When first run, W32/Forbot-EJ copies itself to the Windows system folder as netreg.exe and sets the following registry entries in order to run each time a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Help Temp Files
"netreg.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Help Temp Files
"netreg.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Help Temp Files
"netreg.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Help Temp Files
"netreg.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Help Temp Files
"netreg.exe"
W32/Forbot-EJ also creates its own service named "addicted-to.druggs.info", with the display name "Help Temp Files".
Once installed, W32/Forbot-EJ connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected machine to perform any of the following actions:
flood a remote host (by either ping or HTTP)
start a SOCKS4 proxy server
start an HTTP server
start an FTP server
portscan randomly-chosen IP addresses
execute arbitrary commands
steal information such as passwords and product keys
upload/download files
The worm can spread to unpatched machines affected by the LSASS vulnerability (see MS04-011) and through backdoors left open by the Troj/Optix family of Trojans.
|
