W32\forbot-gen making life horrible
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: W32\forbot-gen making life horrible

  1. #1
    Junior Member
    Join Date
    Oct 2002
    Posts
    11

    W32\forbot-gen making life horrible

    Hi I was windering if anyone could help. I have a machine that keeps getting attacked by w32/forbot-gen I have look through google and all that comes up are links to sophos web site I was wondering if any one knew anything about it. So I can try and block it as the machine isn't powerful enough to accept any patches past service pack 2 for Windows 2000.


    cheers

  2. #2
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001
    Posts
    852
    Are you running any kind of Antivirus protection on that system?
    - Maverick

  3. #3
    Junior Member
    Join Date
    Oct 2002
    Posts
    11
    Yes Sophos.

    the File "cftnom.exe" Make it in to C:\WINNT\System32\ and once every 1/2 days it writes it self into the registry. I have removed like it tell me to on sophos and it keeps coming back

    Cheers for the quick response
    ----------------------------------------------------
    Pegasys
    http://stephen.closednetworks.org.uk

    ----------------------------------------------------

  4. #4
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    okay from what you have given in the post this is what i think you should do
    1. UPDATE to SERVICE PACK 4
    2. Get a firewall
    3. Update your antivirus and i dont know how good is sophos but try out AVG (free) or trandmicro's
    i did not find the virus name at symantec but ill still try to get a link for removal tool any way if you can get removal tool from your anti-virus provider and run it in SAFE MODE.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  5. #5
    Junior Member
    Join Date
    Oct 2002
    Posts
    11
    ByTeWrangler thanks for the advice.

    But I am behind a firewall and have removed this virus from both safe mode and non-safe mode and still it comes back. That is why I was asking if anyone had any information of the virus

    But your advice was greatfully received
    ----------------------------------------------------
    Pegasys
    http://stephen.closednetworks.org.uk

    ----------------------------------------------------

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Try running Trend Micro's "Housecall" and Panda Software's Online Scan.

    Go to DiamondCS's website and get RegistryProt

    Get Spybot Search & Destroy, update it and run it in safe mode. Run its immunisation option. Start it in advanced mode and use the tools to check BHOs the Hosts file and so on.

    EDIT: Are you sure it is cftnom.exe? you might like to look at this link:

    http://support.microsoft.com/kb/q282599/

  7. #7
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    read this
    http://www.sophos.com/virusinfo/anal...2forbotay.html

    under the description tab you'll see

    W32/Forbot-AY attempts to spread to network machines using various exploits including the LSASS vulnerability (see MS04-011). The worm may also spread via IRC channels.
    next
    http://www.microsoft.com/technet/sec.../MS04-011.mspx

    From Microsoft
    Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4

    whlie you said that you had only updated to service pack 2 GET THIS SPECIFIC PATCH HERE
    http://www.microsoft.com/downloads/d...displaylang=en

    get your computer scanned online at
    http://housecall.antivirus.com

    eventhough you said your computer cannot take over service pack 2.
    I STRONGLY RECOMMEND YOU DO.

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    pegasys,

    the machine isn't powerful enough to accept any patches past service pack 2 for Windows 2000.
    I don't understand that. As far as I am aware there is no greater power required for SP4

    The requirement is PI/133 and 128Mb of RAM?

    Can you explain why you think that your machine is not powerful enough? I am intrigued.

  9. #9
    Junior Member
    Join Date
    Oct 2002
    Posts
    11
    Well the machine in question is a email server running exchange and isn't in the best of states and I am affraid that after installing any more patches it will become more hassle to deal with. At the moment the machine has become a typical windows machine and playup whilst trying to complete the simplest of daily checks.

  10. #10
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Just wante to say that Installing Service Packs or patches doesn't degrade the speed or power of the computer but patches either improve perfomance and give better security, the fact that you machine gets infected every 1 or 2 days shows the IMPORTANCE of patches and service packs.

    I mean it makes no sence keeping your door's locked and windows open.... you are still insecured..
    anyway its up to you to update or even upgrade but after reading the document at sophos and microsoft only way you can stop this virus is installing that patch. belive me no matter how messed up your computer is patches will always help you and one more thing you can "ALWAYS UNINSTALL" a patch when you need too.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •