{
	"id": "c81cf813-155e-4efc-bab7-9982a006bcd7",
	"created_at": "2026-04-06T00:06:06.310275Z",
	"updated_at": "2026-04-10T03:20:24.698477Z",
	"deleted_at": null,
	"sha1_hash": "8753a2d53ea787b35d832dd62d1c2bf0126de2ab",
	"title": "Windows worms. Forbix worm analysis.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 434607,
	"plain_text": "Windows worms. Forbix worm analysis.\r\nPublished: 2019-08-24 · Archived: 2026-04-05 22:48:14 UTC\r\n=== Aug 24, 2019 ===\r\nAnyone heard about Forbix worm? Good. Lots of us know how difficult is to remove a worm from an infected\r\nsystem or network. Of course it depends on multiple factors, like: the way it spreads, persistence mechanisms,\r\ndisguise techniques used once machine is infected, reinfection methods, etc. These days, when someone says\r\n“Windows worm” we usually expect a highly sophisticated piece of malware, exploiting a 0-day/1-day\r\nvulnerability and “preferably” this vulnerability being in a service listening on a specific port exposed to the\r\nwhole world. May be this is the case of the worm like ransomware WannaCry, but definitely not applicable to\r\nForbix malware.\r\nNot so long ago (year 2019), I got hold of a PC which kept beaconing to a C2 server even after being re-imaged\r\nseveral times. And nope, the image was clean. Based on the domain name this malware kept trying to connect, it\r\nwas very easy to determine that it is Forbix indeed. This worm is about 3 years old, written in Visual Basic and not\r\nobfuscated at all, yet it kept reappearing after that PC was re-imaged several times.\r\nGeneral information\r\nForbix is a Windows worm written purely in Visual Basic. First references about it date March 2016. Based on the\r\nsample found recently, looks like it wasn’t updated since then, however this strain is still alive even since now.\r\nFile name Checksum Size\r\nManuel.doc d838aaf8d656b7d8d0f48d13646e677eaad35f20 11.1K\r\nSysinfY2X.db d838aaf8d656b7d8d0f48d13646e677eaad35f20 11.1K\r\nSysinfY2X.db (decoded) e41c395013e1a72477eb4b02429d38d0eef2e82e 10.2K\r\nThere are several states this malware can be. As described later in this article, there is are Active and Passive\r\nstates. Forbix is stored on the disk in it’s passive state which is the encoded version of the actual script (VBE\r\nscript). This is performed with Microsoft’s default VBScript.Encode functionality. Because of this particularity,\r\nmultiple AV solutions do not flag it as malicious, as it is not a executable file.\r\nhttps://persianov.net/windows-worms-forbix-worm-analysis\r\nPage 1 of 7\n\nI was surprised to see that, at the time of this writing, about a half of VirusTotal engines do not find the decoded\r\nversion malicious (28/53): MalwareBytes, Comodo, F-Secure, F-Prot, Avira. It gets even more interesting when I\r\nchange the C2 domain and the names of files this malware creates: 21/53. This time Kaspersky, Microsoft\r\nDefender, Sophos, McAfee and ClamAV also made into the list.\r\nForbix .LNK files\r\nYou are probably wondering already how this .vbe script gets executed on victims machine? Well it’s all about\r\n.LNK files. They are created on an infected machine, replacing original folders.\r\n\"C:\\Windows\\system32\\cmd.exe\" /c start wscript /e:VBScript.Encode Manuel.doc \u0026 start explorer \u003cREPLACED_FOLDER_\r\nOnce double clicked this .LNK file executed the VBE Script from Manuel.doc and then opens the hidden original\r\nfolder. This way most of the users never suspect that something is wrong.\r\nForbix SysinfY2X.db file\r\nIn its stored (passive) state this file is similar to Manuel.doc and is an encoded version of the malware. Because\r\nthe author used default VBS encoder provided by Microsoft it is easy to obtain the original version. Thanks to\r\nDidier Stevens for this awesome script.\r\npython decode-vbe.py SysinfY2X.db \u003e decoded_sysinfy2x.vbs\r\nOnce successfully decoded, let’s analyse the script, which by the way isn’t even obfuscated. From the beginning\r\nof the file we already see a bunch of global variables, which are never changed during the script execution. These\r\ncan easily make into our IOCs list.\r\nhttps://persianov.net/windows-worms-forbix-worm-analysis\r\nPage 2 of 7\n\nLooks like the C2 Server was behind realy[.]mooo[.].com. Here an interesting fact: By changing these variables’\r\nvalues, Windows Defender, Kaspersky and Sophos AVs stop picking up this malware. Looks like we are still in\r\nthe Era of Strings Searching and Matching.\r\nFollowing is the main (infinite) loop of the worm. It runs every 2 seconds and connects to C2 server every 60\r\nseconds. This sample has 5 major functionalities:\r\nInfect available drives;\r\nAdd persistence;\r\nProtect itself against removal;\r\nSelf update and execute stage 2 payload;\r\nC2 communications;\r\nAll these are implemented in the following functions: infect_drives , infect_registre , protect_del ,\r\nkill_old , serv_vmd , and all of them are called inside the infinite loop.\r\nhttps://persianov.net/windows-worms-forbix-worm-analysis\r\nPage 3 of 7\n\ninfect_drives() function\r\nThis function checks for all available drives and infects only removable, CD-ROM and network drives\r\n( DriveType: 1, 3, 4 ), avoiding the System Drive.\r\nFirst step in drives infection is the self replication. Malware checks if the selected drive is not the System Drive\r\nand copies itself to the root directory of the drive. If Manuel.doc already exists, this file is overwritten. Also, once\r\ncreated, the attributes of this file are set to ReadOnly, Hidden and System ( Attribute: 1, 2, 4 ).\r\nhttps://persianov.net/windows-worms-forbix-worm-analysis\r\nPage 4 of 7\n\nNext phase is about .LNK files creation and hiding original files. This also applies to folders; malware changes\r\nfolders attributes making them hidden and creates .LNK files using the same name and icon. As mentioned earlier,\r\nby means of .LNK files this malware infects new machines via USB drives, CDs and Network drives.\r\ninfect_registre() function\r\nIt is responsible for making the malware persistent. It creates one new Registry Key named with the current active\r\nname of the program inside \\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ .\r\nprotect_del() function\r\nThis function is responsible to maintain an up-to-date copy of the script in Windows temporary directory, by\r\noverwriting the existing one (if any).\r\nhttps://persianov.net/windows-worms-forbix-worm-analysis\r\nPage 5 of 7\n\nkill_old() function\r\nIn order to keep just one (newest) version of the worm running, function kill_old is called periodically to\r\nremove the remaining artifacts of the previous Forbix.A version.\r\nC2 communications\r\nDuring the self update process, get_new_v and bot_up functions are called. These are responsible for preparing\r\nfiles of the new version of the worm and executing it respectively. Besides that, bot_up function is also used to\r\nexecute stage 2 modules, which are being downloaded from the C2 server.\r\nC2 communications with the server is implemented around 3 commands:\r\nping - used to notify the attackers that bot is running;\r\nlist - used in stage 2 infection. It contains these parameters:\r\nfrom - Stage 2 payload URL;\r\nsize - Size of the payload;\r\nto - Destination folder to copy the executable;\r\nlancer - Optional. Specifies the way to execute the payload (wscript.exe, etc.);\r\n\u003csize\u003e+\u003cname\u003e - Used to get new version of malware;\r\nConclusion\r\nSince early 2016 Forbix was found in the wild, infecting Windows PCs. Even if it doesn’t use any sophisticated\r\ntechniques to spread, persist and load payloads, multiple AV engines still fail to detect and remove it. Looks like\r\nthere are still multiple requests to realy[.]mooo[.]com domain nowadays. If you have an old USB drive and not\r\nhttps://persianov.net/windows-worms-forbix-worm-analysis\r\nPage 6 of 7\n\nsure to access the files on it or not, make sure to scan it. Before opening any folder or file, check if “Manuel.doc”\r\nfile exists in the root directory of the drive.\r\nSource: https://persianov.net/windows-worms-forbix-worm-analysis\r\nhttps://persianov.net/windows-worms-forbix-worm-analysis\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://persianov.net/windows-worms-forbix-worm-analysis"
	],
	"report_names": [
		"windows-worms-forbix-worm-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775433966,
	"ts_updated_at": 1775791224,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8753a2d53ea787b35d832dd62d1c2bf0126de2ab.pdf",
		"text": "https://archive.orkl.eu/8753a2d53ea787b35d832dd62d1c2bf0126de2ab.txt",
		"img": "https://archive.orkl.eu/8753a2d53ea787b35d832dd62d1c2bf0126de2ab.jpg"
	}
}