W32/Forbot-BB

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Forbot-BB is a worm and backdoor for the Windows platform. The worm spreads using network shares.

The backdoor component listens for instructions from a remote attacker.

W32/Forbot-BB copies itself to the Windows system folder as aim.exe and adds the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Aim Quick Start = "Aim.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Aim Quick Start = "Aim.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Aim Quick Start = "Aim.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Aim Quick Start = "Aim.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Aim Quick Start = "Aim.exe"

The worm also installs itself as a service named "Aim Quick Start".

W32/Forbot-BB attempts to disable other worms by deleting their registry entries and files.

The backdoor allows a remote attacker to control the infected computer, providing functions such as:

File transfer
Service control
Distributed denial of service attacks