W32/Fanbot.H is an email worm. The worm will infect Windows systems. The worm spreads through email and KaZaA P2P software.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be any one of the following;

Important Notification!
*DETECTED* Online User Violation.
Email Account Suspension.
Your Account is Suspended For Security Reasons.
Notice of account limitation.
Security measures.
Warning Message: Your services near to be closed.
Your Account is Suspended.
Members Support.

The body of the infected mail will be any one of the following;

Dear user {name of recipient}, It has come to our attention that your {email account of user} User Profile ( x ) records are out
of date. For further details see the attached document.
Thank you for using {random}!
The {random name} Support Team

+++ Attachment: No Virus (Clean)
+++ {random domain name} Antivirus - www.{random antivirus name}.com

Dear {name of recipient} Member,

We have temporarily suspended your email account {email account of user}.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the details to reactivate your {email account of user} account.

Sincerely,
The {random name} Support Team

Dear {name of recipient} Member,

Your e-mail account was used to send a huge amount of unsolicited spam messages
during the recent week. If you could please take 5-10 minutes out of your
online experience and confirm the attached document so you will not run into any
future problems with the online service.

If you choose to ignore our request, you leave us no choice
but to cancel your membership.

Virtually yours,
The {random name} Support Team
Attachment: No Virus found

The infected attachment will be any one of the following;

important-details
account-details
email-details
account-info
document
account-report

The extension of the infected attachment will be any one of the following;

bat, cmd, exe, pif, zip or scr.

Upon execution of the infected attachment, the worm copies itself as remote.exe in the Windows System folder.

The worm modifies registry at the following location to load itself during each startup;

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

To propagate itself, the worm collects all the available email addresses from the Windows Address Book (WAB) of the infected system.

It can also generate email address by adding the following name to the domain name gathered from previously collected email addresses.

andrew, steve, brenda, smith, brent, sandra, brian, sales, claudia, robert, david, peter, debby, michael, frank, maria, george, linda, helen, kevin, james, julie, jerry and jimmy.

The worm mails itself to these addresses using its own SMTP engine.

The worm also has the backdoor capabilities. It connects to the Internet Relay Chat (IRC) server. After the connection is established, it joins an IRC channel and listens for commands coming from a remote malicious user.

The worm create copies of itself to the shared folders of;

download
sharing
incoming
share

It also modifies the HOSTS file.

The worm also tries to terminate some of the security related processes and prevents access to some of the security related websites.

This worm first appeared on October 28, 2005.

 Other names of W32/Fanbot.H Worm:

This Worm is also known as WORM_FANBOT.H .