W32/Forbot.J

description-logoAnalysis

This virus is 32-bit with a packed file size of 128,000 bytes. The virus may connect to an IRC server using TCP port 6667 and await instructions from a malicious user.
Loading At Windows Startup
If virus is run, it will copy itself to the System32 folder as "svchosting.exe" and then register itself to run at each Windows startup -
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\
"Win32 USB2 Driver" = svchosting.exe
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Runonce\
"Win32 USB2 Driver" = svchosting.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"Win32 USB2 Driver" = svchosting.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce\
"Win32 USB2 Driver" = svchosting.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Win32 USB2 Driver" = svchosting.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
"Win32 USB2 Driver" = svchosting.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
"Win32 USB2 Driver" = svchosting.exe
The virus creates additional registry entries to ensure that it loads as a service named "Microsoft Config" and with a description of "Win32 USB2 Driver" on Windows NT-based systems -
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_MICROSOFT_CONFIG
"NextInstance" = 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_MICROSOFT_CONFIG\0000\
"Class" = LegacyDriver
"ClassGUID" = {8ECC055D-047F-11D1-A537-0000F8753ED1}
"ConfigFlags" = 00, 00, 00, 00
"DeviceDesc" = Win32 USB2 Driver
"Legacy" = 01, 00, 00, 00
"Service" = Microsoft Config
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_MICROSOFT_CONFIG\0000\Control\
"*NewlyCreated*" = 00, 00, 00, 00
"ActiveService" = Microsoft Config
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_NPF\0000\Control
"ActiveService" = NPF
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft Config\
"DeleteFlag" = 01, 00, 00, 00
"DisplayName" = Win32 USB2 Driver
"ErrorControl" = 01, 00, 00, 00
"FailureActions" = ( hex values )
"ImagePath" = "C:\WINNT\System32\svchosting.exe" -netsvcs
"ObjectName" = LocalSystem
"Start" = 04, 00, 00, 00
"Type" = 20, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft Config\Enum\
"0" = Root\LEGACY_MICROSOFT_CONFIG\0000
"Count" = 01, 00, 00, 00
"NextInstance" = 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Microsoft Config\Security\
"Security" = ( hex values )

recommended-action-logoRecommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Telemetry logoTelemetry