Author Topic: WinUSB32.exe / aka...W32/Forbot-AB  (Read 2513 times)

0 Members and 1 Guest are viewing this topic.

Offline DragonSpell

  • Newbie
  • *
  • Posts: 1
WinUSB32.exe / aka...W32/Forbot-AB
« on: November 24, 2004, 02:48:40 AM »
Avast can not find this as a worm. In mscofig it is listed, and when removed and restarted it comes right back. I did a search on GOOGLE and found that it is a Worm with the alias of W32/Forbot-AB and it creates the following regisrty listings

W32/Forbot-AB is a network worm with backdoor functionality.

In order to run automatically when Windows starts up the worm moves itself to the Windows system folder as winusb32.exe and creates the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows USB Driver = "winusb32.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Windows USB Driver = "winusb32.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows USB Driver = "winusb32.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Windows USB Driver = "winusb32.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows USB Driver = "winusb32.exe"

W32/Forbot-AB also creates its own service named "irc.name", with the display name "Windows USB Driver".

Once installed, W32/Forbot-AB connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands.

This is a dialer. I installed ZoneAlarm Pro and removed WinUSB32.exe from start up, restarted the computer and it went right online. Even with ZoneAlarms internet block ON.

Ran CW shreder, spybot 1.3, and AdAware 6.0SE still it can not be removed.



If anyone has any ideas or soulutions it would be greatly appreciated.

Offline inthewildteam

  • Advanced Poster
  • **
  • Posts: 772
  • Computers can do that?
Re:WinUSB32.exe / aka...W32/Forbot-AB
« Reply #1 on: November 24, 2004, 02:59:29 AM »
If you are running M.E. or XP disable system restore first.  Under xp restart in safe mode with a boot time scan and report back.
So? I drive a Citroen