Home / malwarePDF  

Worm:Win32/Dorkbot


First posted on 25 January 2012.
Source: Microsoft

Aliases :

Worm:Win32/Dorkbot is also known as Win-Trojan/Injector.636416.D (AhnLab), W32/Dorkbot.B.gen!Eldorado (Command), Trojan.Injector!mcxcCCeftrA (VirusBuster), W32.IRCBot.NG (Symantec), WORM_DORKBOT.QUN (Trend Micro), ngrBot (other).

Explanation :

Win32/Dorkbot is a family of IRC-based worms that spreads via removable drives, instant messaging programs, and social networks. Variants of Win32/Dorkbot may capture user names and passwords by monitoring network communication, and may block websites that are related to security updates. It may also launch a limited denial of service (DoS) attack.


Top

Win32/Dorkbot is a family of IRC-based worms that spreads via removable drives, instant messaging programs, and social networks. Variants of Win32/Dorkbot may capture user names and passwords by monitoring network communication, and may block websites that are related to security updates. It may also launch a limited denial of service (DoS) attack.



Installation

Commonly, Win32/Dorkbot variants may arrive as a link through in an instant message or social network message; the link points to a copy of the worm that can be downloaded and executed on the affected user's computer. The worm may be present as the following:

  • facebook-profile-pic- <random number>-JPEG.exe
  • facebook-pic00 <random number>.exe


When executed, variants of Win32/Dorkbot may copy themselves to the %AppData% folder using a randomly generated six letter file name, which is based on the HDD serial number, by calling GetVolumeInformation() API (for example, "ozkqke.exe").

The worm modifies the following registry entry to ensure that its copy executes at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<randomly generated six letter string>"
With data: "%AppData%\<randomly generated six letter string>.exe"

For example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "ozkqke"
With data: "%AppData%\ozkqke.exe"

Note: %AppData% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the %AppData% folder for Windows 2000, NT and XP is C:\Documents and Settings\<user>\Application Data; and for Vista and Windows 7 is C:\Users\<user>\AppData\Roaming.

Spreads via€¦

Removable drives

Win32/Dorkbot may create a folder named €œRECYCLER€ in all the accessible USB drives, and register it as a Recycle Bin folder. The worm registers a device notification so that it is notified whenever a USB device is plugged into the affected computer. It then copies itself to the USB device, using a variable file name, and creates an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.

Instant messaging/Instant relay chat

Using backdoor functionality (see payload section below), the worm can be ordered by a remote attacker to spread via instant messaging platforms such as Windows Live Messenger, Pidgin chat, Xchat and mIRC. It sends messages to all of the affected user's contacts. The messages sent, and the frequency at which the messages are sent are configured by the remote attacker.

Social networks

Win32/Dorkbot variants can be ordered to spread via social network services such as Facebook, Twitter, Bebo, and Vkontakte (a Russian social network). Similar to instant messaging spreading, the worm will hijack the sent message and replace it with its own message that contains the link to the worm's copy. The number of messages sent before the worm will inject its own message with a malicious link is also configured by the remote attacker.



Payload

Allows backdoor access and control

Variants of Win32/Dorkbot may connect to an IRC server, join a channel and wait for commands. In the wild, we have observed the worm utilizing IRC servers on the following domains for this purpose:

  • shuwhyyu.com
  • lovealiy.com
  • syegyege.com
  • av.shannen.cc


Using this backdoor, a remote attacker can perform a number of different actions on an affected computer. As well as being able to spread via instant messaging applications (detailed in the Spreads via... section), the worm can also be ordered to perform the following actions:

  • Obtain computer information
  • Protect itself


The worm uses a user-mode rootkit to prevent the affected user from viewing or tampering with its files. This is done by hooking the following functions for all processes inside which it is injected:

  • NtQueryDirectoryFile
  • NtEnumerateValueKey
  • CopyFileA/W
  • DeleteFileA/W


Injects code

When executed, the worm injects code into "explorer.exe", as well as to many other running processes on the affected computer. Note that the number of processes it is capable of injecting into is dependent on whether it has been run with administrator privileges.

Contacts remote host

Win32/Dorkbot generates an IRC 'nickname' by connecting to api.wipmania, combining the country code, operating system version, user-type and a random string, using the following format:

n{<country code>|<OS version><user type>}<random string>

where:

  • Operating system version could be any of the following: XP, 2K3, VIS, 2K8, W7, ERR (Error)
  • Country code is a two digit country code (for example US - USA, RU - Russia, etc)
  • User-type is either 'a' (administrator) or 'u' (user)


Example 'nickname': n{US|XPa}xkfnalw

Using the generated 'nickname' and the IRC server information from its internal configuration, it connects to the IRC server to retrieve further data or infection parameters such as download link, Windows Live Messenger message, and domain lists among other information.

The worm can accept commands from the attacker to perform one or more of the following:

  • Download a file from specified URL and execute it on the affected computer
  • Update its main executable from specified URL and wait until next restart to execute (or, if specified in the command, to restart immediately)
  • Collect log on information and passwords from form grabbing, FTP, POP3, Internet Explorer and Firefox cached log on details
  • Block or redirects certain domains and websites
  • Show infection statistics
  • Launch and stop denial of service (SYN and UDP flood) attacks
  • Spread via USB, instant messaging, and social networks
  • Change Windows Live Messenger and HTTP spreading message
  • Report back information about the bot


If logging is enabled by the attacker, every command executed is logged and sent to the IRC server and displayed in the IRC channel where the bot is connected.

Hooks APIs

Win32/Dorkbot hooks several APIs for various purposes, such as hiding its components (like registry entries and dropped file and process names), spreading and sniffing usernames and passwords. Some examples that we have observed Win32/Dorkbot hooking in the wild are:

  • CopyFileA/W
  • CreateFileA/W
  • DeleteFileA/W
  • DnsQuery_A/W
  • GetAddrInfoW
  • HttpSendRequestA/W
  • InternetWriteFile
  • LdrLoadDll
  • MoveFileA/W
  • NtEnumerateValueKey
  • NtQueryDirectoryFile
  • NtResumeThread
  • PR_Write
  • RegCreateKeyExA/W
  • send
  • URLDownloadToFileA/W


Deletes files

Win32/Dorkbot contains instructions to delete downloaded and executed files after reboot. It needs this feature to be turned on by the attacker. After installation, the worm deletes its initial dropper executable.

Removes arbitrary files

The worm uses €œbehavior monitoring€ to identify and delete files that appear to communicate via Internet Relay Chat (IRC) or exhibit worm behavior such as spreading via removable drives or USB media.

Modifies files

The worm can be instructed to overwrite the following files in order to hinder malware diagnosis and removal:

  • regsvr32.exe
  • cmd.exe
  • rundll32.exe
  • regedit.exe
  • verclsid.exe
  • ipconfig.exe


Steals sensitive information

Win32/Dorkbot is capable of intercepting Internet browser communications with various websites, and obtaining sensitive information. This is done by hooking various APIs within Firefox and Internet Explorer. The worm can also target FTP credentials.

Win32/Dorkbot variants target the following websites from which to steal usernames and passwords:

  • 4shared
  • AOL
  • Alertpay
  • Bcointernacional
  • BigString
  • Brazzers
  • Depositfiles
  • DynDNS
  • Facebook
  • Fastmail
  • Fileserve
  • Filesonic
  • Freakshare
  • GMX
  • Gmail
  • Godaddy
  • Hackforums
  • Hotfile
  • IKnowThatGirl
  • Letitbit
  • LogMeIn
  • Mediafire
  • Megaupload
  • Moneybookers
  • Moniker
  • Namecheap
  • Netflix
  • Netload
  • NoIP
  • OfficeBanking
  • Oron
  • PayPal
  • Runescape
  • Sendspace
  • Sms4file
  • Speedyshare
  • Steam
  • Thepiratebay
  • Torrentleech
  • Twitter
  • Uploaded
  • Uploading
  • Vip-file
  • Whatcd
  • Yahoo
  • YouPorn
  • YouTube
  • eBay


Infects websites

The worm may be ordered to log into a remote FTP server and infect various HTML files by adding an IFrame. This action may facilitate the worm's spreading function.

Blocks access to security websites

Variants of the worm may be ordered to block user access to sites with the following strings in their domain:

  • avast
  • avg
  • avira
  • bitdefender
  • bullguard
  • clamav
  • comodo
  • emsisoft
  • eset
  • fortinet
  • f-secure
  • garyshood
  • gdatasoftware
  • heck.tc
  • iseclab
  • jotti
  • kaspersky
  • lavasoft
  • malwarebytes
  • mcafee
  • onecare.live
  • norman
  • norton
  • novirusthank
  • onlinemalwarescanner
  • pandasecurity
  • precisesecurity
  • sophos
  • sunbeltsoftware
  • symante
  • threatexpert
  • trendmicro
  • virscan
  • virus
  • virusbuster.nprotect
  • viruschief
  • virustotal
  • webroot


The worm may also download additional or updated domain list from a remote website.

Additional information

On execution, it performs a self-integrity check. If it fails, it shows the message box below and attempts to corrupt the hard drive by writing garbage data to the hard drive.



It also creates a mutex to avoid multiple instances of itself, and mark its presence. Most variants use €œhex-Mutex€, but others have been observed using random mutex such as "t2f-Mutex" and"f4448e25-Mutex".



Analysis by Rex Plantado

Last update 25 January 2012

 

TOP