ForBot.SDK0mCORE
Category: Trojan
Risk:
Severe Risk
* Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine.
Description: ForBot.SDK0mCORE is a network worm with backdoor Trojan functionality. ForBot.SDK0mCORE spreads to computers by exploiting the LSASS (MS04-011) vulnerability. When first run, ForBot.SDK0mCORE copies itself to the Windows System folder as SDK0MCORE.EXE. In order to run automatically each time a user logs on, ForBot. SDK0mCORE sets the following registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run sdkupdate22 SDK0mCORE.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce sdkupdate22 SDK0mCORE.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices sdkupdate22 SDK0mCORE.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run sdkupdate22 SDK0mCORE.exe HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce sdkupdate22 SDK0mCORE.exe On NT based versions of Windows, ForBot.SDK0mCORE is run as a new service named "Action Date". The service has a display name of "sdkupdate22". Registry entries are created under the following registry branch: HKLM\SYSTEM\CurrentControlSet\Services\Action Date The worm runs continuously in the background providing backdoor access to the infected computer through IRC channels. ForBot.SDK0mCORE may alter the following registry entry in order to enable/disable DCOM: HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM ForBot.SDK0mCORE will attempt to disable anti-virus and security related processes
Alias: W32/Forbot-DT, sdkupdate22
Signatures:
process: sdk0mcore.exe: MD5 Hash: d6fcee3395de9123b75
process: sdk0mcore.exe: MD5 Hash: 4efe87899c201d8af3c
process: sdk0mcore.exe: MD5 Hash: 3ca600e9a5a4e7f7aba
process: sdk0mcore.exe: MD5 Hash: 5949491fdcb7dd09c0d
process: sdk0mcore.exe: MD5 Hash: 13188af35798487efaa
process: sdk0mcore.exe: MD5 Hash: f76165380346b68ea40..
Copyright @2006 THR Computer Solutions: ForBot.SDK0mCORE