W32.Forinsty
Aliases: N/A
Variants: N/A
Classification: Malware
Category: Computer Worm
Status: Inactive
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 21 Sep 2007
Damage: Medium
Characteristics: A worm called as W32.Forinsty was discovered on September 21, 2007. This worm propagates through removable or executable drives then opens a back door in the computer. Windows systems are mainly infected namely the Windows 2000, 95, 98, Me, NT, Server 2003, Vista and XP.
W32.Forinsty Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
RECOMMENDED:
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Forinsty from your computer.
More details about W32.Forinsty
The worm creates eight files specifically %Windir%\msmsgs.exe, %Windir%\debug\sysdeb.ini, %System%\ynhqttqd.d1l, %System%\ynhqttqd.dll, %System%\drivers\ynhqttqd.sys, %Temp%\ynhqttqd.log, %DriveLetter%\autorun.inf and %DriveLetter%\RECYCLER\RECYCLER\autorun.exe. Then, the worm builds a system registry entry and modifies two particular system registry entries. Two system registry subkeys are also created. Then the worm copies itself to all removable drives. Unique and certain identifier known as_AFXOnlyOneInstance is created then the worm drops three files. Each file is a copy of Backdoor.Formador. Those files will be injected into the iexplore.exe process. And on the %Temp%\ynhqttqd.log file, the worm will keep keystrokes. The Backdoor.Formador opens then connects to a specified site and to a server. From there, it opens a back door and creates copies of itself to the following files: %DriveLetter%\autorun.inf and %DriveLetter%\RECYCLER\RECYCLER\autorun.exe.
The W32.Forinsty program is said to spread manually. Their programmers often attach them to spam e-mails. They may also be uploaded on file sharing networks and websites. The installer is commonly labeled as a harmless file. It can appear to be a screensaver, movie, software patch or slideshow presentation. The source code can also be embedded in hacked Web pages. Other malware applications can download and install the program software. The program may also be hidden with other files the user downloads into the system.