high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | October 2004 (3.86) |
| Protection available since | 9 September 2004 11:04:27 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/Forbot-S.
More Information
W32/Forbot-S is a worm and backdoor for the Windows platform.
W32/Forbot-S spreads to network shares and by exploiting the LSASS (MS04-011)
vulnerability and backdoors opened by other malware.
When run W32/Forbot-S copies itself to the Windows system folder as scvhosting.exe. The worm adds the following registry entries to ensure that the copy is run each time Windows is started.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
starter = "scvhosting.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
starter = "scvhosting.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
starter = "scvhosting.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
starter = "scvhosting.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
starter = "scvhosting.exe"
The backdoor component of W32/Forbot-S contacts an IRC server and waits for instructions from a remote attacker. The backdoor may be used to launch distributed denial of service attacks, run proxy servers or obtain information about the infected computer.
W32/Forbot-S attempts to disable other worms, such as members of the W32/Bagle family.
|
