W32/Forbot-GT

Category: Viruses and Spyware Protection available since:27 Oct 2007 18:41:27 (GMT)
Type: Win32 worm Last Updated:27 Oct 2007 18:41:27 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Forbot-GT is a network worm with backdoor functionality for the Windows platform.

Once installed, W32/Forbot-GT connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands.

W32/Forbot-GT is a network worm with backdoor functionality for the Windows platform.

Once installed, W32/Forbot-GT connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected computer to perform any of the following actions:

 flood a remote host (by either ping or HTTP)
 start a SOCKS4 proxy server
 start an HTTP server
 start an FTP server
 portscan randomly-chosen IP addresses
 execute arbitrary commands
 steal information such as passwords and product keys
 upload/download files

The worm can spread to unpatched computers affected by the LSASS vulnerability (see MS04-011), SRVSVC (MS06-040), ASN.1 (MS04-007), RealVNC (CVE-2006-2369), Symantec (SYM06-010) and through networks shares protected by weak passwords.

When first run, W32/Forbot-GT copies itself to the Windows system folder as f0dns.exe and sets the following registry entries in order to run each time a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Symantec Antivirus professional
"f0dns.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Symantec Antivirus professional
"f0dns.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Symantec Antivirus professional
"f0dns.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Symantec Antivirus professional
"f0dns.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Symantec Antivirus professional
"f0dns.exe"

W32/Forbot-GT also creates its own service named "Symantec Antivirus professional", with the display name "Symantec Antivirus professional".