Win32/Dorkbot is a family of IRC-based worms that spreads via removable drives, instant messaging programs, and social networks. Variants of Win32/Dorkbot may capture user names and passwords by monitoring network communication, and may block websites that are related to security updates. It may also launch a limited denial of service (DoS) attack.

System changes

The following system changes may indicate the presence of this malware:

• The presence of the following files:
  
  facebook-profile-pic-<random number>-JPEG.exe
  facebook-pic00<random number>.exe
• The display of the following message:
  
  

Win32/Dorkbot is a family of IRC-based worms that spreads via removable drives, instant messaging programs, and social networks. Variants of Win32/Dorkbot may capture user names and passwords by monitoring network communication, and may block websites that are related to security updates. It may also launch a limited denial of service (DoS) attack.

Installation

Commonly, Win32/Dorkbot variants may arrive as a link through in an instant message or social network message; the link points to a copy of the worm that can be downloaded and executed on the affected user’s computer. The worm may be present as the following:

• facebook-profile-pic- <random number>-JPEG.exe
• facebook-pic00 <random number>.exe
• skype_<DDMMYYYY>_foto.exe , where <DDMMYYYY> is the day, ,month, and year, for example, "skype_06102012_foto.exe"
• skype_<DD-MM-YYYY>_foto.exe , where <DD-MM-YYYY> is the day, ,month, and year, for example, "skype_09-10-2012_image.exe"

When executed, variants of Win32/Dorkbot may copy themselves to the %AppData% folder using a randomly generated six letter file name, which is based on the HDD serial number, by calling GetVolumeInformation() API (for example, "ozkqke.exe").

The worm modifies the following registry entry to ensure that its copy executes at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<randomly generated six letter string>"
With data: "%AppData%\<randomly generated six letter string>.exe"

For example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "ozkqke"
With data: "%AppData%\ozkqke.exe"

Note: %AppData% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the %AppData% folder for Windows 2000, NT and XP is C:\Documents and Settings\<user>\Application Data; and for Vista and Windows 7 is C:\Users\<user>\AppData\Roaming.

Spreads via…

Removable drives

Win32/Dorkbot may create a folder named “RECYCLER” in all the accessible USB drives, and register it as a Recycle Bin folder. The worm registers a device notification so that it is notified whenever a USB device is plugged into the affected computer. It then copies itself to the USB device, using a variable file name, and creates an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.

Instant messaging/Instant relay chat

Using backdoor functionality (see payload section below), the worm can be ordered by a remote attacker to spread via instant messaging platforms such as Windows Live Messenger, Pidgin chat, Xchat, mIRC, and Skype. It sends messages to all of the affected user's contacts. The messages sent, and the frequency at which the messages are sent are configured by the remote attacker.

Some Win32/Dorkbot variants can spread via Skype by first downloading and installing another component malware (see Payload - Download additional malware).

The malicious malware component uses the Skype APIs to send a malicious link to all the contacts at a specified time interval. The message that contains the malicious link may look like the following:

If your contact receives and visit the link, Win32/Dorkbot is downloaded into your computer.

The message may differ based on your current location and locale.

Social networks

Win32/Dorkbot variants can be ordered to spread via social network services such as Facebook, Twitter, Bebo, and Vkontakte (a Russian social network). Similar to instant messaging spreading, the worm will hijack the sent message and replace it with its own message that contains the link to the worm’s copy. The number of messages sent before the worm will inject its own message with a malicious link is also configured by the remote attacker.

Payload

Allows backdoor access and control

Variants of Win32/Dorkbot may connect to an IRC server, join a channel and wait for commands. In the wild, we have observed the worm utilizing IRC servers on the following domains for this purpose:

• shuwhyyu.com
• lovealiy.com
• syegyege.com
• av.shannen.cc

Using this backdoor, a remote attacker can perform certain actions.

The worm uses a user-mode rootkit to prevent the affected user from viewing or tampering with its files. This is done by hooking the following functions for all processes inside which it is injected:

• NtQueryDirectoryFile
• NtEnumerateValueKey
• CopyFileA/W
• DeleteFileA/W

Injects code

When executed, the worm injects code into "explorer.exe", as well as to many other running processes on the affected computer. Note that the number of processes it is capable of injecting into is dependent on whether it has been run with administrator privileges.

Contacts remote host

Win32/Dorkbot generates an IRC 'nickname' by connecting to api.wipmania, combining the country code, operating system version, user-type and a random string, using the following format:

n{<country code>|<OS version><user type>}<random string>

where:

• Operating system version could be any of the following: XP, 2K3, VIS, 2K8, W7, ERR (Error)
• Country code is a two digit country code (for example US - USA, RU - Russia, etc)
• User-type is either 'a' (administrator) or 'u' (user)

Example 'nickname': n{US|XPa}xkfnalw

Using the generated 'nickname' and the IRC server information from its internal configuration, it connects to the IRC server to retrieve further data or infection parameters such as download link, Windows Live Messenger message, and domain lists among other information.

The worm can accept commands from the attacker to perform one or more of the following:

• Download and run an arbitrary file from specified URL
• Delete the downloaded and run arbitrary file the next time you restart your computer (a command called Ruskill; if the command is on, it deletes the arbitrary file)
• Update its main executable from specified URL and wait until next restart to execute (or, if specified in the command, to restart immediately)
• Uninstall itself
• Try to remove other malware that spread via USB drives and that communicate to IRC servers (a command called PDef)
• Collect log on information and passwords from form grabbing, FTP, POP3, Internet Explorer and Firefox cached login details
• Block or redirects certain domains and websites
• Access certain websites using Internet Explorer, without your knowledge
• Show infection statistics
• Launch and stop denial of service (SYN,UDP, or SlowLoris flood) attacks
• Spread via USB, instant messaging, and social networks
• Prepare a message via HTTP, instant messaging, or social networks to accompany a link to its copy, to be used to spread itself
• Report back information about the bot
• Display bot version information

If logging is enabled by the attacker, every command executed is logged and sent to the IRC server and displayed in the IRC channel where the bot is connected.

Hooks APIs

Win32/Dorkbot hooks several APIs for various purposes, such as hiding its components (like registry entries and dropped file and process names), spreading and sniffing usernames and passwords. Some examples that we have observed Win32/Dorkbot hooking in the wild are:

• CopyFileA/W
• CreateFileA/W
• DeleteFileA/W
• DnsQuery_A/W
• GetAddrInfoW
• HttpSendRequestA/W
• InternetWriteFile
• LdrLoadDll
• MoveFileA/W
• NtEnumerateValueKey
• NtQueryDirectoryFile
• NtResumeThread
• PR_Write
• RegCreateKeyExA/W
• send
• URLDownloadToFileA/W

Spreads other malware

Because Dorkbot can download and run arbitrary files, it has been used by other malware as a distributing mechanism for their software. In the wild, Dorkbot has been known to download and run injectors, ransomware, and other malware, including Trojan:Win32/Necurs.

Deletes files

Win32/Dorkbot contains instructions to delete downloaded and executed files after reboot. It needs this feature to be turned on by the attacker. After installation, the worm deletes its initial dropper executable.

Removes arbitrary files

The worm uses “behavior monitoring” to identify and delete files that appear to communicate via Internet Relay Chat (IRC) or exhibit worm behavior such as spreading via removable drives or USB media.

Modifies files

The worm can be instructed to overwrite the following files in order to hinder malware diagnosis and removal:

• regsvr32.exe
• cmd.exe
• rundll32.exe
• regedit.exe
• verclsid.exe
• ipconfig.exe

Steals sensitive information

Win32/Dorkbot is capable of intercepting Internet browser communications with various websites, and obtaining sensitive information. This is done by hooking various APIs within Firefox and Internet Explorer. The worm can also target FTP credentials.

Win32/Dorkbot variants target the following websites from which to steal usernames and passwords:

• 4shared
• AOL
• Alertpay
• Bcointernacional
• BigString
• Brazzers
• Depositfiles
• DynDNS
• Facebook
• Fastmail
• Fileserve
• Filesonic
• Freakshare
• GMX
• Gmail
• Godaddy
• Hackforums
• Hotfile
• IKnowThatGirl
• Letitbit
• LogMeIn
• Mediafire
• Megaupload
• Moneybookers
• Moniker
• Namecheap
• Netflix
• Netload
• NoIP
• OfficeBanking
• Oron
• PayPal
• Runescape
• Sendspace
• Sms4file
• Speedyshare
• Steam
• Thepiratebay
• Torrentleech
• Twitter
• Uploaded
• Uploading
• Vip-file
• Whatcd
• Yahoo
• YouPorn
• YouTube
• eBay

Infects websites

The worm may be ordered to log into a remote FTP server and infect various HTML files by adding an IFrame. This action may facilitate the worm's spreading function.

Blocks access to security websites

Variants of the worm may be ordered to block user access to sites with the following strings in their domain:

• avast
• avg
• avira
• bitdefender
• bullguard
• clamav
• comodo
• emsisoft
• eset
• fortinet
• f-secure
• garyshood
• gdatasoftware
• heck.tc
• iseclab
• jotti
• kaspersky
• lavasoft
• malwarebytes
• mcafee
• onecare.live
• norman
• norton
• novirusthank
• onlinemalwarescanner
• pandasecurity
• precisesecurity
• sophos
• sunbeltsoftware
• symante
• threatexpert
• trendmicro
• virscan
• virus
• virusbuster
• nprotect
• viruschief
• virustotal
• webroot

The worm may also download additional or updated domain list from a remote website.

Additional information

On execution, it performs a self-integrity check. If it fails, it shows the message box below and attempts to corrupt the hard drive by writing garbage data to the hard drive.

It also creates a mutex to avoid multiple instances of itself, and mark its presence. Most variants use “hex-Mutex”, but others have been observed using random mutexes such as "t2f-Mutex" and"f4448e25-Mutex".

Additional resources

• Ransomware Worm Spreading Via Skype [Forbes]
• Dorkbot worm spreading via Skype, installs nasty ransomware  [Techspot]

Analysis by Rex Plantado

Take the following steps to help prevent infection on your computer:

• Enable a firewall on your computer
• Get the latest computer updates for all your installed software
• Use up-to-date antivirus software
• Limit user privileges on the computer
• Use caution when opening attachments and accepting file transfers
• Use caution when clicking on links to webpages
• Avoid downloading pirated software
• Protect yourself against social engineering attacks
• Use strong passwords

Enable a firewall on your computer

Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.

• How to turn on the Windows Firewall in Windows 8
• How to turn on the Windows Firewall in Windows 7
• How to turn on the Windows Firewall in Windows Vista
• How to turn on the Windows Firewall in Windows XP

Get the latest computer updates

Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites. Instructions on how to download the latest versions of some common software is available from the following:

• Microsoft Malware Protection Center - Updating Software

You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.

• How to turn on Automatic updates in Windows 8
• How to turn on Automatic Updates in Windows 7
• How to turn on Automatic Updates in Windows Vista
• How to turn on Automatic Updates in Windows XP

Use up-to-date antivirus software

Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software, such as Microsoft Security Essentials, that is updated with the latest signature files. For more information, see 'Consumer security software providers'.

Limit user privileges on the computer

Starting with Windows Vista and Windows 7, Microsoft introduced User Account Control (UAC), which, when enabled, allowed users to run with least user privileges. This scenario limits the possibility of attacks by malware and other threats that require administrative privileges to run.

You can configure UAC in your computer to meet your preferences:

• User Account Control in Windows 8
• User Account Control in Windows 7
• User Account Control in Windows Vista
• Applying the Principle of Least Privilege in Windows XP
• More on User Account Control

Use caution when opening attachments and accepting file transfers

Exercise caution with email and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.

Use caution when clicking on links to webpages

Exercise caution with links to webpages that you receive from unknown sources, especially if the links are to a webpage that you are not familiar with, unsure of the destination of, or suspicious of. Malicious software may be installed in your computer simply by visiting a webpage with harmful content.

Avoid downloading pirated software

Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information, see 'The risks of obtaining and using pirated software'.

Protect yourself from social engineering attacks

While attackers may attempt to exploit vulnerabilities in hardware or software to compromise a computer, they also attempt to exploit vulnerabilities in human behavior to do the same. When an attacker attempts to take advantage of human behavior to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted computer.

Use strong passwords

Attackers may try to gain access to your Windows account by guessing your password. It is therefore important that you use a strong password – one that cannot be easily guessed by an attacker. A strong password is one that has at least eight characters, and combines letters, numbers, and symbols. For more information, see 'Create strong passwords'.

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

• Microsoft Security Essentials or, for Windows 8, Windows Defender
• Microsoft Safety Scanner
• Microsoft Windows Malicious Software Removal Tool

Disable Autorun functionality

This threat attempts to spread via removable drives on computers that support Autorun functionality. This is a particularly common method of spreading for many current malware families. For information on disabling Autorun functionality, please see the following article:
http://support.microsoft.com/kb/967715/