Win32.ForBot.KW (Ca.com)

Description Published: January 11, 2005
Description Modified: January 11, 2005

Category: Win32
Also known as: Backdoor.Win32.Wootbot.ai (Kaspersky)

eTrust Antivirus 6x/v7* (Vet Engine) 11.x/8859 View Removal Instructions
eTrust EZ Antivirus 6.2x 6.2x/8859 View Removal Instructions
eTrust EZ Antivirus 6.3x 6.3x/8859 View Removal Instructions
eTrust EZ Antivirus 6.4x 6.4x/8859 View Removal Instructions
eTrust EZ Antivirus 7.x 7.x/8859 View Removal Instructions
Vet Anti-Virus 10.6x 10.6x/8859 View Removal Instructions

* Includes updates for InoculateIT and eTrust InoculateIT 6.0.

Description

Win32.ForBot.KW is an IRC-controlled worm that can be instructed to perform an array of malicious functions on an affected machine.

Method of Infection

When executed, Win32.ForBot.KW copies itself to the %System% directory as FBFxec.exe.

Note: ´%System%´ is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:WinntSystem32; for 95,98 and ME is C:WindowsSystem; and for XP is C:WindowsSystem32.

The worm makes the following registry modifications to ensure that this file is executed each time Windows is started:

HKCUSoftwareMicrosoftWindowsCurrentVersionRunFB Exec Stub = ˝FBFxec.exe˝
HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnceFB Exec Stub = ˝FBFxec.exe˝
HKLMSoftwareMicrosoftWindowsCurrentVersionRunFB Exec Stub = ˝FBFxec.exe˝
HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnceFB Exec Stub = ˝FBFxec.exe˝
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesFB Exec Stub = ˝FBFxec.exe˝

ForBot.KW also installs itself as a service with the following details (which runs at startup and executes FBFxec.exe):

Name: AutoDate
Display name: FB Exec Stub
Path to executable: ˝%System%FBFxec.exe˝ -netsvcs

Method of Distribution

Via Exploit
Win32.ForBot.KW can be ordered to spread by exploiting the Windows LSASS vulnerability.

For more information, please visit our Vulnerabilities Encyclopedia or Microsoft: http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx

Via Previous System Compromise
ForBot.KW can also spread via the backdoor provided by Win32.OptixPro trojan. Only systems already running the OptixPro trojan are vulnerable to this
infection method.

Payload

Backdoor Functionality
The main function of the trojans and worms in the Forbot family is to allow an attacker to issue commands to the Bot via IRC. This allows the attacker to perform a host of actions on an affected machine, including, but not limited to, the following:

Flood targeted systems (via ping, syn, udp - Denial of Service attacks)
Run a socks4 proxy server
Port forwarding
Obtain e-mail addresses from the WAB (Windows Address Book) of the infected computer
Remove network shares ipc$, and admin$ in an attemp to stop other malware attacking the computer
Port scanning
Delete network shares
Obtain CD keys for popular game titles
Download and execute arbitrary files via HTTP or direct connection
Obtain information about an infected computer, such as the Windows product key, System Info including CPU speed, Memory, OS, build version, system uptime, current User, etc
Add / remove system services
Logoff / reboot / shutdown the affected system
Collect usernames from Yahoo Pager, .NET messenger and AOL Instant Messenger
Start or stop an HTTP server on any specified port, which will make a selected directory avalible to the remote user
Start or stop the FTP server which allows directory browsing and file uploads/downloads
Terminate processes - including those belonging to many popular antivirus and other security related applications
Analysis by Paul Taylor, Matthew McCormack and Hamish O´Dea