W32/Forbot-EM

Please follow the instructions for removing worms.

W32/Forbot-EM is a worm which attempts to spread to remote network shares and computers vulnerable to common exploits. W32/Forbot-EM also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via the IRC network, while running in the background as a service process.

W32/Forbot-EM connects to a preconfigured IRC channel and awaits commands from a remote intruder. These include commands to steal information, delete network shares, reduce system security, start a proxy server, participate in DDoS attacks, exploit vulnerabilities, steal registration keys for computer games and harvest email addresses from the Windows address book and Instant Messenger configuration files.

W32/Forbot-EM copies itself to the Windows system folder and creates the following registry entries to run itself automatically on log-on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Help Temp Files
netreg.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Help Temp Files
netreg.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Help Temp Files
netreg.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Help Temp Files
netreg.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Help Temp Files
netreg.exe

On NT based versions of Windows netreg.exe is run as a new service named "addicted-to.druggs.info" with a display name of "Help Temp Files".

New registry entries are created under

HKLM\SYSTEM\CurrentControlSet\Services\addicted-to.druggs.info