Home / malware Worm:Win32/Dorkbot.I
First posted on 15 February 2019.
Source: MicrosoftAliases :
Worm:Win32/Dorkbot.I is also known as Win-Trojan/Injector.636416.D, W32/Dorkbot.B.gen!Eldorado, Trojan.Injector!mcxcCCeftrA, W32.IRCBot.NG, WORM_DORKBOT.QUN.
Explanation :
Installation
Dorkbot.I can arrive as a link through in an instant message or social network message; the link points to a copy of the worm that can be downloaded and run on your PC. The worm might use any of these file name formats:
facebook-profile-pic--JPEG.exe facebook-pic00 .exe skype_ _foto.exe , where is the day, ,month, and year, for example, skype_06102012_foto.exe skype_ _foto.exe , where is the day, ,month, and year, for example, skype_09-10-2012_image.exe
When run, Dorkbot.I copies itself to the %APPDATA% folder using a randomly generated six letter file name, which is based on the HDD serial number, by calling GetVolumeInformation() API (for example, ozkqke.exe).
It changes the following registry entry to ensure that its copy runs at each Windows start:
In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: ""
With data: "%APPDATA%.exe"
For example:
In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: "ozkqke"
With data: "%APPDATA%ozkqke.exe"
Spreads through…
Removable drives
Dorkbot.I creates a folder named RECYCLER in all the accessible USB drives, and registers it as a Recycle Bin folder. The worm registers a device notification so that it is notified whenever a USB device is plugged into the affected PC. It then copies itself to the USB device, using a variable file name, and creates an Autorun configuration file named autorun.inf pointing to the worm copy. When the drive is accessed from a PC supporting the Autorun feature, the worm is launched automatically.
Instant messaging/Instant relay chat
The worm can be ordered by a malicious hacker using backdoor functionality to spread via instant messaging platforms like Windows Live Messenger, Pidgin chat, Xchat and mIRC.
Messages are sent to all of your contacts. The messages sent, and the frequency at which the messages are sent are configured by the malicious hacker.
Social networks
Dorkbot.I can be ordered to spread via social network services like Facebook, Twitter, Bebo, and Vkontakte (a Russian social network). Similar to instant messaging spreading, the worm will hijack the sent message and replace it with its own message that contains the link to the worm's copy. The number of messages sent before the worm will inject its own message with a malicious link is also configured by the malicious hacker.
Skype
Some Win32/Dorkbot variants can spread via Skype by first downloading and installing another component malware.
The malicious malware component uses the Skype APIs to send a malicious link to all the contacts at a specified time interval. The message that contains the malicious link might look like the following:
If your contact receives and visit the link, Win32/Dorkbot is downloaded into your PC.
The message might be different based on your current location and locale.
Payload
Lets a malicious hacker control your PC
Dorkbot.I connects to an IRC server, joins a channel and waits for commands. In the wild, we have observed the worm using IRC servers on the following domains for this purpose:
shuwhyyu.com lovealiy.com syegyege.com av.shannen.cc
Using this backdoor, a malicious hacker can do a number of different actions on your PC. As well as being able to spread via instant messaging applications, the worm can also be ordered to do the following:
Get information about your PC Protect itself
The worm uses a user-mode rootkit to prevent you from viewing or tampering with its files. This is done by hooking the following functions for all processes inside which it is injected:
NtQueryDirectoryFile NtEnumerateValueKey CopyFileA/W DeleteFileA/W
Injects code
When run, the worm injects code into explorer.exe, as well as to many other running processes on your PC. Note that the number of processes it is capable of injecting into is dependent on whether it has been run with administrator privileges.
Contacts remote host
Dorkbot.I generates an IRC nickname by connecting to api.wipmania, combining the country code, operating system version, user-type and a random string, using the following format:
n{| }
where:
Operating system version - could be any of the following: XP, 2K3, VIS, 2K8, W7, ERR (Error) Country code is a two digit country code (for example US - USA, RU - Russia, etc) User-type is either a (administrator) or u (user)
Example nickname: n{US|XPa}xkfnalw
Using the generated nickname and the IRC server information from its internal configuration, it connects to the IRC server to retrieve further data or infection parameters like download link, Windows Live Messenger message, and domain lists among other information.
Dorkbot.I can accept commands from the malicious hacker to do one or more of the following:
Download a file from specified URL and run it Update its main executable from specified URL and wait until next restart to run (or, if specified in the command, to restart immediately) Collect logons and passwords from form grabbing, FTP, POP3, Internet Explorer and Firefox cached logons Block or redirects certain domains and websites Show infection statistics Launch and stop denial of service (SYN and UDP flood) Spread via USB, instant messaging, and social networks Change Windows Live Messenger and HTTP spreading message Report back information about the bot
If logging is enabled by the malicious hacker, every command is logged and sent to the IRC server and displayed in the IRC channel where the bot is connected.
Hooks APIs
Dorkbot.I hooks several APIs for various purposes, like hiding its components (like registry entries and dropped file and process names), spreading and sniffing usernames and passwords. Some examples that we have observed Dorkbot.I hooking in the wild are:
CopyFileA/W CreateFileA/W DeleteFileA/W DnsQuery_A/W GetAddrInfoW HttpSendRequestA/W InternetWriteFile LdrLoadDll MoveFileA/W NtEnumerateValueKey NtQueryDirectoryFile NtResumeThread PR_Write RegCreateKeyExA/W send URLDownloadToFileA/W
Deletes files
Dorkbot.I contains instructions to delete downloaded and already run files after reboot. It needs this feature to be turned on by the malicious hacker. After installation, Dorkbot.I deletes its initial dropper executable.
Removes files
Dorkbot.I uses behavior monitoring to identify and delete files that appear to communicate via IRC or exhibit worm behavior like spreading via removable drives or USB media.
Overwrites legitimate files
The worm can be instructed to overwrite the following files in order to hinder malware diagnosis and removal:
regsvr32.exe cmd.exe rundll32.exe regedit.exe verclsid.exe ipconfig.exe
Steals sensitive information
The worm is capable of intercepting Internet browser communications with various websites, and obtaining sensitive information. This is done by hooking various APIs within Firefox and Internet Explorer. The worm can also target FTP credentials.
Dorkbot.I targets websites with the following strings in its URL from which to steal user names and passwords:
1and1 4shared Alertpay AOL Bcointernacional BigString Brazzers clave Depositfiles DirectAdmin Dotster DynDNS eBay Enom Facebook Fastmail Fileserve Filesonic Freakshare Gmail GMX Godaddy Hackforums Hotfile IKnowThatGirl Letitbit LogMeIn Mediafire Megaupload Moneybookers Moniker Namecheap Netflix Netload NoIP OfficeBanking Oron PayPal Runescape Sendspace Sms4file Speedyshare Steam Thepiratebay Torrentleech Twitter Uploaded Uploading Vip-file Webnames Whatcd WHMCS Yahoo YouPorn YouTube
It monitors login credentials if you visit a website with any of the URLs:
*.moneybookers.*/*login.pl *1and1.com/xml/config* *4shared.com/login* *:2082/login* *:2083/login* *:2086/login* *:2222/CMD_LOGIN* *alertpay.com/login* *aol.*/*login.psp* *bcointernacional*login* *bigstring.*/*index.php* *clave=* *depositfiles.*/*/login* *dotster.com/*login* *dyndns*/account* *enom.com/login* *facebook.*/login.php* *fastmail.*/mail/* *fileserv.com/login* *filesonic.com/*login* *freakshare.com/login* *gmx.*/*FormLogin* *godaddy.com/login* *google.*/*ServiceLoginAuth* *hackforums.*/member.php *letitbit.net* *login.yahoo.*/*login* *mediafire.com/*login* *megaupload.*/*login* *members*.iknowthatgirl*/members* *members.brazzers.com* *moniker.com/*Login* *namecheap.com/*login* *netflix.com/*ogin* *netload.in/index* *no-ip*/login* *oron.com/login* *Passwd=* *paypal.*/webscr?cmd=_login-submit* *runescape*/*weblogin* *secure.logmein.*/*logincheck* *sendspace.com/login* *signin.ebay*SignIn *sms4file.com/*/signin-do* *speedyshare.com/login* *steampowered*/login* *thepiratebay.org/login* *torrentleech.org/*login* *twitter.com/sessions *uploaded.to/*login* *uploading.com/*login* *vip-file.com/*/signin-do* *webnames.ru/*user_login* *what.cd/login* *whcms*dologin* *youporn.*/login*
where * is any string.
Infects websites
The worm can be ordered to log into a remote FTP server and infect various HTML files by adding an IFrame. This action helps the worm spread.
Blocks access to security websites
The worm can be ordered to block user access to sites with the following strings in their domain:
avast avg avira bitdefender bullguard clamav comodo emsisoft eset fortinet f-secure garyshood gdatasoftware heck.tc iseclab jotti kaspersky lavasoft malwarebytes mcafee onecare.live norman norton novirusthank onlinemalwarescanner pandasecurity precisesecurity sophos sunbeltsoftware symantec threatexpert trendmicro virscan virus virusbuster nprotect viruschief virustotal webroot
The worm might also download additional or updated domain list from a remote website.
Additional information
When run, the worm dos a self-integrity check. If it fails, it shows the message box below and tries to corrupt the hard drive by writing garbage data to the hard drive.
It also creates a mutex to avoid multiple instances of itself, and mark its presence. Most variants use hex-Mutex, but others have been observed using random mutex like t2f-Mutex and f4448e25-Mutex.
Analysis by Rex PlantadoLast update 15 February 2019