W32.Forinsty


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 21 Sep 2007
Damage: Medium

Characteristics: A worm called as W32.Forinsty was discovered on September 21, 2007. This worm propagates through removable or executable drives then opens a back door in the computer. Windows systems are mainly infected namely the Windows 2000, 95, 98, Me, NT, Server 2003, Vista and XP.

More details about W32.Forinsty

The worm creates eight files specifically %Windir%\msmsgs.exe, %Windir%\debug\sysdeb.ini, %System%\ynhqttqd.d1l, %System%\ynhqttqd.dll, %System%\drivers\ynhqttqd.sys, %Temp%\ynhqttqd.log, %DriveLetter%\autorun.inf and %DriveLetter%\RECYCLER\RECYCLER\autorun.exe. Then, the worm builds a system registry entry and modifies two particular system registry entries. Two system registry subkeys are also created. Then the worm copies itself to all removable drives. Unique and certain identifier known as_AFXOnlyOneInstance is created then the worm drops three files. Each file is a copy of Backdoor.Formador. Those files will be injected into the iexplore.exe process. And on the %Temp%\ynhqttqd.log file, the worm will keep keystrokes. The Backdoor.Formador opens then connects to a specified site and to a server. From there, it opens a back door and creates copies of itself to the following files: %DriveLetter%\autorun.inf and %DriveLetter%\RECYCLER\RECYCLER\autorun.exe.

The W32.Forinsty program is said to spread manually. Their programmers often attach them to spam e-mails. They may also be uploaded on file sharing networks and websites. The installer is commonly labeled as a harmless file. It can appear to be a screensaver, movie, software patch or slideshow presentation. The source code can also be embedded in hacked Web pages. Other malware applications can download and install the program software. The program may also be hidden with other files the user downloads into the system.