W32/Forbot-EO

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Forbot-EO is a worm which attempts to spread to remote network shares and computers vulnerable to common exploits. W32/Forbot-EO also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via the IRC network, while running in the background as a service process.

W32/Forbot-EO connects to a preconfigured IRC channel and awaits commands from a remote intruder. These include commands to steal information, delete network shares, reduce system security, start a proxy server, participate in DDoS attacks, exploit vulnerabilities, steal registration keys for computer games and harvest email addresses from the Windows address book and Instant Messenger configuration files.

W32/Forbot-EO copies itself to the Windows system folder and creates the following registry entries to run itself automatically on log-on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Win32SysV
xin.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Win32SysV
xin.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Win32SysV
xin.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Win32SysV
xin.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Win32SysV
xin.exe

On NT based versions of Windows xin.exe is run as a new service named "xin" with a display name of "Win32SysV".

New registry entries are created under

HKLM\SYSTEM\CurrentControlSet\Services\xin