How to Remove Forbiks VBS

Forbiks is a worm that spreads via removable drives and network shares. It also downloads potentially malicious file and was discovered on September 8, 2017. It can affect Windows 7, 8 and 10 systems and the risk level is Very Low

The threat may arrive on compromised computers through removable drives.

When the worm is executed, it propagates through removable, network, and CD-ROM drives.

The worm copies itself to the following locations:

  • [ALL DRIVES]\Manuel.doc
  • %Temp%\SysinfY2X.db
  • %Temp%\SysinfYhX.db

Next, the worm creates the following registry entries so that it runs every time Windows starts:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”[FILE NAME]” = “cmd.exe /c start wscript /e:VBScript.Encode %Temp%\SysinfY2X.db”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”[FILE NAME]” = “cmd.exe /c start wscript /e:VBScript.Encode %Temp%\SysinfYhX.db”

The worm then modifies the following registry entry to hide files with Hidden attributes:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”Hidden” = “2”

Next, the worm connects to the following command and control (C&C) server to get instructions:

  • [http://]realy.mooo.com/bot.lancer/inde[REMOVED]

The worm may then perform the following actions on the compromised computer:

  • Update itself
  • Download and run other malware

Leave a Reply