Home / malware Worm:Win32/Dorkbot.I
First posted on 17 November 2011.
Source: SecurityHomeAliases :
Worm:Win32/Dorkbot.I is also known as Win-Trojan/Injector.636416.D (AhnLab), W32/Dorkbot.B.gen!Eldorado (Command), Trojan.Injector!mcxcCCeftrA (VirusBuster), W32.IRCBot.NG (Symantec), WORM_DORKBOT.QUN (Trend Micro).
Explanation :
Worm:Win32/Dorkbot.I is a member of the Win32/Dorkbot family; a family of IRC-based worms that spreads via removable drives, instant messaging programs, and social networks. Win32/Dorkbot.I may capture user names and passwords by monitoring network communication, and may block websites that are related to security updates. It may also launch a limited denial of service (DoS) attack.
Top
Worm:Win32/Dorkbot.I is a member of the Win32/Dorkbot family; a family of IRC-based worms that spreads via removable drives, instant messaging programs, and social networks. Win32/Dorkbot.I may capture user names and passwords by monitoring network communication, and may block websites that are related to security updates. It may also launch a limited denial of service (DoS) attack.
Installation
Worm:Win32/Dorkbot.I may arrive as a link through in an instant message or social network message; the link points to a copy of the worm that can be downloaded and executed on the affected user's computer. The worm may be present as the following:
- facebook-profile-pic- <random number>-JPEG.exe
- facebook-pic00 <random number>.exe
When executed, Worm:Win32/Dorkbot.I copies itself to the %AppData% directory using a randomly generated six letter file name, which is based on the HDD serial number, by calling GetVolumeInformation() API (for example, "ozkqke.exe").
It modifies the following registry entry to ensure that its copy executes at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<randomly generated six letter string>"
With data: "%AppData%\<randomly generated six letter string>.exe"
For example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "ozkqke"
With data: "%AppData%\ozkqke.exe"
Note: %AppData% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the %AppData% folder for Windows 2000, NT and XP is C:\Documents and Settings\<user>\Application Data; and for Vista and Windows 7 is C:\Users\<user>\AppData\Roaming.
Spreads via€¦
Removable drives
Worm:Win32/Dorkbot.I creates a folder named €œRECYCLER€ in all the accessible USB drives, and registers it as a Recycle Bin folder. The worm registers a device notification so that it is notified whenever a USB device is plugged into the affected computer. It then copies itself to the USB device, using a variable file name, and creates an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Instant messaging/Instant Relay Chat
Using backdoor functionality (see Payload section below), the worm can be ordered by a remote attacker to spread via instant messaging platforms such as Windows Live Messenger, Pidgin chat, Xchat and mIRC. Messages are sent to all of the affected user's contacts. The messages sent, and the frequency at which the messages are sent are configured by the remote attacker.
Social networks
Worm:Win32/Dorkbot.I can be ordered to spread via social network services such as Facebook, Twitter, Bebo, and Vkontakte (a Russian social network). Similar to instant messaging spreading, the worm will hijack the sent message and replace it with its own message that contains the link to the worm's copy. The number of messages sent before the worm will inject its own message with a malicious link is also configured by the remote attacker.
Payload
Allows backdoor access and control
Worm:Win32/Dorkbot.I connects to an IRC server, joins a channel and waits for commands. In the wild, we have observed the worm utilizing IRC servers on the following domains for this purpose:
- shuwhyyu.com
- lovealiy.com
- syegyege.com
- av.shannen.cc
Using this backdoor, a remote attacker can perform a number of different actions on an affected computer. As well as being able to spread via instant messaging applications (detailed in the Spreads via... section), the worm can also be ordered to perform the following actions:
- Obtain computer information
- Protect itself
The worm uses a user-mode rootkit to prevent the affected user from viewing or tampering with its files. This is done by hooking the following functions for all processes inside which it is injected:
- NtQueryDirectoryFile
- NtEnumerateValueKey
- CopyFileA/W
- DeleteFileA/W
Injects code
When executed, the worm injects code into "explorer.exe", as well as to many other running processes on the affected computer. Note that the number of processes it is capable of injecting into is dependent on whether it has been run with administrator privileges.
Contacts remote host
Worm:Win32/Dorkbot.I generates an IRC 'nickname' by connecting to api.wipmania, combining the country code, operating system version, user-type and a random string, using the following format:
n{<country code>|<OS version><user type>}<random string>
where:
- Operating system version - could be any of the following: XP, 2K3, VIS, 2K8, W7, ERR (Error)
- Country code is a two digit country code (for example US - USA, RU - Russia, etc)
- User-type is either 'a' (administrator) or 'u' (user)
Example 'nickname': n{US|XPa}xkfnalw
Using the generated 'nickname' and the IRC server information from its internal configuration, it connects to the IRC server to retrieve further data or infection parameters such as download link, Windows Live Messenger message, and domain lists among other information.
Worm:Win32/Dorkbot.I can accept commands from the attacker to perform one or more of the following:
- Download a file from specified URL and execute it on the affected computer
- Update its main executable from specified URL and wait until next restart to execute (or, if specified in the command, to restart immediately)
- Collect logons and passwords from form grabbing, FTP, POP3, Internet Explorer and Firefox cached logons
- Block or redirects certain domains and websites
- Show infection statistics
- Launch and stop denial of service (SYN and UDP flood)
- Spread via USB, instant messaging, and social networks
- Change Windows Live Messenger and HTTP spreading message
- Report back information about the bot
If logging is enabled by the attacker, every command executed is logged and sent to the IRC server and displayed in the IRC channel where the bot is connected.
Hooks APIs
Worm:Win32/Dorkbot.I hooks several APIs for various purposes, such as hiding its components (like registry entries and dropped file and process names), spreading and sniffing usernames and passwords. Some examples that we have observed Worm:Win32/Dorkbot.I hooking in the wild are:
- CopyFileA/W
- CreateFileA/W
- DeleteFileA/W
- DnsQuery_A/W
- GetAddrInfoW
- HttpSendRequestA/W
- InternetWriteFile
- LdrLoadDll
- MoveFileA/W
- NtEnumerateValueKey
- NtQueryDirectoryFile
- NtResumeThread
- PR_Write
- RegCreateKeyExA/W
- send
- URLDownloadToFileA/W
Deletes files
Worm:Win32/Dorkbot.I contains instructions to delete downloaded and executed files after reboot. It needs this feature to be turned on by the attacker. After installation, Worm:Win32/Dorkbot.I deletes its initial dropper executable.
Removes arbitrary files
Worm:Win32/Dorkbot.I uses €œbehavior monitoring€ to identify and delete files that appear to communicate via Internet Relay Chat (IRC) or exhibit worm behavior such as spreading via removable drives or USB media.
Modifies files
The worm can be instructed to overwrite the following files in order to hinder malware diagnosis and removal:
- regsvr32.exe
- cmd.exe
- rundll32.exe
- regedit.exe
- verclsid.exe
- ipconfig.exe
Steals sensitive information
The worm is capable of intercepting Internet browser communications with various websites, and obtaining sensitive information. This is done by hooking various APIs within Firefox and Internet Explorer. The worm can also target FTP credentials.
Worm:Win32/Dorkbot.I targets the following websites from which to steal usernames and passwords:
- 4shared
- AOL
- Alertpay
- Bcointernacional
- BigString
- Brazzers
- Depositfiles
- DynDNS
- Fastmail
- Fileserve
- Filesonic
- Freakshare
- GMX
- Gmail
- Godaddy
- Hackforums
- Hotfile
- IKnowThatGirl
- Letitbit
- LogMeIn
- Mediafire
- Megaupload
- Moneybookers
- Moniker
- Namecheap
- Netflix
- Netload
- NoIP
- OfficeBanking
- Oron
- PayPal
- Runescape
- Sendspace
- Sms4file
- Speedyshare
- Steam
- Thepiratebay
- Torrentleech
- Uploaded
- Uploading
- Vip-file
- Whatcd
- Yahoo
- YouPorn
- YouTube
- eBay
Infects websites
The worm may be ordered to log into a remote FTP server and infect various HTML files by adding an IFrame. This action may facilitate the worm's spreading function.
Blocks access to security websites
The worm may be ordered to block user access to sites with the following strings in their domain:
- avast
- avg
- avira
- bitdefender
- bullguard
- clamav
- comodo
- emsisoft
- eset
- fortinet
- f-secure
- garyshood
- gdatasoftware
- heck.tc
- iseclab
- jotti
- kaspersky
- lavasoft
- malwarebytes
- mcafee
- onecare.live
- norman
- norton
- novirusthank
- onlinemalwarescanner
- pandasecurity
- precisesecurity
- sophos
- sunbeltsoftware
- symante
- threatexpert
- trendmicro
- virscan
- virus
- virusbuster.nprotect
- viruschief
- virustotal
- webroot
The worm may also download additional or updated domain list from a remote website.
Additional information
On execution, it performs a self-integrity check. If it fails, it shows the message box below and attempts to corrupt the hard drive by writing garbage data to the hard drive.
It also creates a mutex to avoid multiple instances of itself, and mark its presence. Most variants use €œhex-Mutex€Â, but others have been observed using random mutex such as "t2f-Mutex" and"f4448e25-Mutex".
Analysis by Rex Plantado
Last update 17 November 2011