Virus

W32/Foobot.Backdoor

Analysis

  • Virus is 32bit and was coded using Visual Basic 6
  • Virus requires VB6 runtime library MSVBVM60.DLL on target system in order to be a threat
  • When executed, virus may copy itself to the Windows folder as “mspread.exe” and launch itself
  • Virus will attempt to download an ActiveX control from this location –
    http://thecleaner.publication.org.uk/vbruntimes/MSWINSCK.OCX
    And copy this file to the Windows\System32 folder
  • The virus will attempt to download “foobot.exe” from an Angelfire.com website which is a remote access Trojan
  • The remote access Trojan will listen for instructions which may include the ability to download files from an Internet location and even execute them remotely
  • It will then attempt to connect to other computers and map a drive Q: to that system using the “net use” command – if successful, the virus will attempt to copy itself to that system in the following paths –
    Q:\Documents and Settings\All Users\Start Menu\Programs\Startup\mspread.exe

    Q:\Documents and Settings\All Users\Menu Start\
    Programma's\Opstarten\mspread.exe
    Q:\Documents and Settings\All Users\Start-meny\Program\Autostart\mspread.exe
    Q:\Windows\Start menu\programs\startup\mspread.exe

  • Virus connects to the Internet and listens for instructions or awaits a login attempt from a hacker or group of hackers