Home / malwarePDF  

Worm:Win32/Dorkbot.AR


First posted on 12 April 2013.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/Dorkbot.AR.

Explanation :



Installation

Worm:Win32/Dorkbot.AR may arrive as a link in an instant message that points to a copy of the worm that, if you click on the link, will download a copy of the worm to your computer. See the Skype section below for more details.

The worm may be present in the %TEMP% as a file name in the following format:

skype-img-<MM_DD-YYYY>.exe - for example, skype-img-04_04-2013.exe

When it runs, Worm:Win32/Dorkbot.AR copies itself to the %APPDATA% directory using a randomly generated 16-character file name. In the wild, we have observed the worm using the following file name:

zrjubbofwfmowfzs.exe

It modifies the following registry entry to ensure it runs each time you start your computer:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<randomly generated 16 letter string>.exe"
With data: "%APPDATA%<randomly generated 16 letter string>.exe"

For example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "zrjubbofwfmowfzs .exe"
With data: "%AppData%\zrjubbofwfmowfzs.exe"

Spreads via€¦

Removable and shared drives

Worm:Win32/Dorkbot.AR creates a folder named €œsnkb0ptz€ in all the accessible USB and mapped drives and drops the following files into the created folder:

  • ...lnk - the worm's shortcut link
  • ..lnk - the worm's shortcut link
  • desktop.ini
  • snkb0ptz.exe - a copy of the worm
  • subst.lnk - the worm's shortcut link


This looks similar to the following screenshot:



The files autorun.inf and shortcut links all point to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.

The three shortcut links also serve to try and trick you into clicking, and subsequently running the worm.

Skype

Worm:Win32/Dorkbot.AR can spread via Skype by downloading and installing another malware component; see the Payload section below for more details.

This malware component uses the Skype APIs to send a malicious link to all your Skype contacts at a specified time interval. If your contact receives and visits the link, Win32/Dorkbot is downloaded into your computer.

The message may differ based on your current location and locale, but one example is shown below:





Payload

Contacts remote Instant Relay Chat server

Worm:Win32/Dorkbot.AR generates an IRC 'nickname' by combining the country code, operating system version, user-type and a random string, using the following format:

n{<country code>-<OS version><user type>}<8 random characters>

For example, n{USA-XPx86a}gdpgqxjy

where:

  • Operating system version could be any of the following: XP, 2K3, VIS, 2K8, W7, ERR (Error)
  • Country code is a three-digit country code (for example, USA - USA, RU - RUS, etc)
  • User-type is either 'a' (administrator) or 'u' (user)


Using the generated 'nickname' and the IRC server information from its internal configuration, it connects to the IRC server to retrieve further data or infection parameters such as download link, MSN or Skype message, and other information.

Worm:Win32/Dorkbot.AR connects to an IRC server, joins a channel and waits for commands. In the wild, we have observed the worm contacting the following IRC servers using TCP port 9000:

  • f.eastmoon.pl
  • gigasbh.org
  • gigasphere.su
  • h.opennews.su
  • o.dailyradio.su
  • photobeat.su
  • s.richlab.pl
  • uranus.kei.su
  • xixbh.com
  • xixbh.net


It downloads the Skype component from a hotfile domain, for example:

hotfile.com/dl/202145748/705bd55/haha.html

Downloads other malware

Win32/Dorkbot.AR downloads malicious component, detected as Worm:Win32/Skypii.A. This malware component is responsible for sending messages to your Skype contacts. The message contains a malicious link pointing to a Win32/Dorkbot download URL.

In this way, the worm can infect many users and form a viable botnet for different purposes.

Among the downloaded files is a Bitcoin miner, which is downloaded from:

petewake.com/faf

The Bitcoin miner is saved to the %TEMP% directory as a randomly-named file.

Additional information

This variant creates mutex named €œsnkb0ptz€ so that only one instance of itself is running on your computer at any one time.

Worm:Win32/Dorkbot.AR may hook the following APIs, probably for either keylogging or monitoring activity to activate the bitcoin mining:

  • kernel32.dll!GetConsoleOutputCP
  • kernel32.dll!GetCurrentDirectoryW
  • kernel32.dll!GetProcessHeap
  • kernel32.dll!lstrcatA
  • user32.dll!BroadcastSystemMessageW
  • user32.dll!GetMessagePos
  • user32.dll!IsCharAlphaNumericW
  • user32.dll!SetRectEmpty
  • user32.dll!VkKeyScanA




Analysis by Rex Plantado

Last update 12 April 2013

 

TOP