Follow:

 

Win32/Dorkbot


Microsoft security software detects and removes this threat.

This family of worms can steal your user names and passwords by watching what you do online. They can also download other malware and stop you from visiting security-related websites. Some variants can use your PC in a denial of service (DoS) attack.

They spread via infected USB flash drives, or in a malicious link sent though instant messaging programs and social networks.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Protect your email account

This threat tries to hack your email accounts.

You should change your passwords after you've removed this threat:

Disable Autorun

This threat tries to use the Windows Autorun function to spread via removable drives, like USB flash drives. You can disable Autorun to prevent worms from spreading:

Scan removable drives

Remember to scan any removable or portable drives. If you have Microsoft security software, see this topic on our software help page:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Win32/Dorkbot variants usually arrive as a link in an instant message or social network message. The link points to a copy of the worm that can be downloaded and run on your PC. The worm might have any of the following file names:

  • facebook-profile-pic-<random number>-JPEG.exe
  • facebook-pic00<random number>.exe
  • skype_<DDMMYYYY>_foto.exe , where <DDMMYYYY> is the day, ,month, and year, for example, "skype_06102012_foto.exe"
  • skype_<DD-MM-YYYY>_foto.exe , where <DD-MM-YYYY> is the day, ,month, and year, for example, "skype_09-10-2012_image.exe"

When it runs, variants of Win32/Dorkbot might copy themselves to the %APPDATA% folder using a randomly-generated six letter file name, which is based on the HDD serial number, by calling the GetVolumeInformation() API (for example, "ozkqke.exe").

The worm changes the following registry entry to ensure that its copy runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<randomly generated six letter string>"
With data: "%APPDATA%\<randomly generated six letter string>.exe"

For example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "ozkqke"
With data: "%APPDATA%\ozkqke.exe"

Spreads via…

Removable drives

Win32/Dorkbot might create a folder named "RECYCLER" in all accessible USB drives, and registers it as a Recycle Bin folder. The worm registers a device notification so that it is notified whenever you plug a USB device into your PC. It then copies itself to the USB device, using a variable file name, and creates an Autorun configuration file named "autorun.inf" pointing to the worm copy. These autorun.inf files tell the operating system to launch the worm file automatically when the USB drive is accessed from another PC that supports the Autorun feature.

Instant messaging/Instant relay chat

Using backdoor functionality (see Payload - Allows backdoor access and control section below), the worm can be ordered by a remote hacker to spread via instant messaging platforms such as Windows Live Messenger, Pidgin chat, Xchat, mIRC, and Skype. It sends messages to all of your contacts. The messages sent, and the frequency at which the messages are sent are configured by the remote hacker.

Some Win32/Dorkbot variants can spread via Skype by first downloading and installing another component malware (see Payload - Downloads additional malware).

The malicious malware component uses the Skype APIs to send a malicious link to all the contacts at a specified time interval. The message that contains the malicious link might look like the following:

If your contact receives and visit the link, Win32/Dorkbot is downloaded into your PC.

The message might differ based on your current location and locale.

Social networks

Win32/Dorkbot variants can be ordered to spread via social network services such as Facebook, Twitter, Bebo, and Vkontakte (a Russian social network). Similar to instant messaging spreading, the worm will hijack the sent message and replace it with its own message that contains the link to the worm's copy. The number of messages sent before the worm will inject its own message with a malicious link is also configured by the remote hacker.

Payload

Allows backdoor access and control

Variants of Win32/Dorkbot might connect to an IRC server, join a channel and wait for commands. In the wild, we have observed the worm using IRC servers on the following domains for this purpose:

  • av.shannen.cc
  • lovealiy.com
  • shuwhyyu.com
  • syegyege.com

Using this backdoor, a remote hacker can perform certain actions.

The worm uses a user-mode rootkit to prevent you from viewing or tampering with its files. This is done by hooking the following functions for all processes inside which it is injected:

  • DeleteFileA/W
  • CopyFileA/W
  • NtEnumerateValueKey
  • NtQueryDirectoryFile

Injects code

When it runs, the worm injects code into "explorer.exe", as well as to many other running processes on your PC. It might do this to make itself more difficult to detect and remove.

Note that the number of processes it is capable of injecting into is dependent on whether it has been run with administrator privileges.

Contacts remote host

Win32/Dorkbot generates an IRC 'nickname' by connecting to api.wipmania, combining the country code, operating system version, user-type and a random string, using the following format:

n{<country code>|<OS version><user type>}<random string>

where:

  • Operating system version could be any of the following: XP, 2K3, VIS, 2K8, W7, ERR (Error)
  • Country code is a two digit country code (for example US - USA, RU - Russia, etc)
  • User-type is either 'a' (administrator) or 'u' (user)

Example 'nickname': n{US|XPa}xkfnalw

Using the generated 'nickname' and the IRC server information from its internal configuration, it connects to the IRC server to retrieve further data or infection parameters such as download link, Windows Live Messenger message, and domain lists among other information.

The worm can accept commands from the hacker to perform one or more of the following actions:

  • Download and run a file from specified URL
  • Delete the downloaded file the next time you restart your PC (a command called Ruskill; if the command is on, it deletes the file)
  • Update its main executable from specified URL and wait until next restart to run (or, if specified in the command, to restart immediately)
  • Uninstall itself
  • Try to remove other malware that spread via USB drives and that communicate to IRC servers (a command called PDef)
  • Collect log on information and passwords from form grabbing, FTP, POP3, Internet Explorer and Firefox cached login details
  • Block or redirects certain domains and websites
  • Access certain websites using Internet Explorer, without your knowledge
  • Show infection statistics
  • Launch and stop denial of service (SYN,UDP, or SlowLoris flood) attacks
  • Spread via USB, instant messaging, and social networks
  • Prepare a message via HTTP, instant messaging, or social networks to accompany a link to its copy, to be used to spread itself
  • Report back information about the bot
  • Display bot version information

If logging is enabled by the hacker, every command that it runs is logged and sent to the IRC server and displayed in the IRC channel where the bot is connected.

Downloads other malware

Because Dorkbot can download and run files, it has been used by other malware as a distributing mechanism for their malware. In the wild, Dorkbot has been known to download and run injectors, ransomware, and other malware, including Trojan:Win32/Necurs.

Deletes files

Win32/Dorkbot contains instructions to delete files it downloads and runs after reboot. It needs this feature to be turned on by the hacker. After installation, the worm deletes its initial dropper executable.

The worm uses "behavior monitoring" to identify and delete files that appear to communicate via Internet Relay Chat (IRC) or exhibit worm behavior such as spreading via removable drives or USB media.

Overwrites files

The worm can be instructed to overwrite the following files in order to hinder malware diagnosis and removal:

  • regsvr32.exe
  • cmd.exe
  • rundll32.exe
  • regedit.exe
  • verclsid.exe
  • ipconfig.exe

Steals sensitive information

Win32/Dorkbot is capable of intercepting Internet browser communications with various websites, and obtaining sensitive information. This is done by hooking various APIs within Firefox and Internet Explorer. The worm can also target FTP credentials.

Win32/Dorkbot variants target the following websites from which to steal user names and passwords:

  • 4shared
  • Alertpay
  • AOL
  • Bcointernacional
  • BigString
  • Brazzers
  • Depositfiles
  • DynDNS
  • eBay
  • Facebook
  • Fastmail
  • Fileserve
  • Filesonic
  • Freakshare
  • Gmail
  • GMX
  • Godaddy
  • Hackforums
  • Hotfile
  • IKnowThatGirl
  • Letitbit
  • LogMeIn
  • Mediafire
  • Megaupload
  • Moneybookers
  • Moniker
  • Namecheap
  • Netflix
  • Netload
  • NoIP
  • OfficeBanking
  • Oron
  • PayPal
  • Runescape
  • Sendspace
  • Sms4file
  • Speedyshare
  • Steam
  • Thepiratebay
  • Torrentleech
  • Twitter
  • Uploaded
  • Uploading
  • Vip-file
  • Whatcd
  • Yahoo
  • YouPorn
  • YouTube

Infects websites

The worm might be ordered to log into a remote FTP server and infect various HTML files by adding an IFrame. This action may facilitate the worm's spreading function.

Blocks access to security websites

Variants of the worm may be ordered to block user access to sites with the following strings in their domain:

  • avast
  • avg
  • avira
  • bitdefender
  • bullguard
  • clamav
  • comodo
  • emsisoft
  • eset
  • fortinet
  • f-secure
  • garyshood
  • gdatasoftware
  • heck.tc
  • iseclab
  • jotti
  • kaspersky
  • lavasoft
  • malwarebytes
  • mcafee
  • onecare.live
  • norman
  • norton
  • novirusthank
  • onlinemalwarescanner
  • pandasecurity
  • precisesecurity
  • sophos
  • sunbeltsoftware
  • symante
  • threatexpert
  • trendmicro
  • virscan
  • virus
  • virusbuster
  • nprotect
  • viruschief
  • virustotal
  • webroot

The worm may also download an additional or updated domain list from a remote website.

Hooks APIs

Win32/Dorkbot hooks several APIs for various purposes, such as hiding its components (like registry entries and dropped file and process names), spreading and sniffing user names and passwords. Some examples that we have observed Win32/Dorkbot hooking in the wild are:

  • CopyFileA/W
  • CreateFileA/W
  • DeleteFileA/W
  • DnsQuery_A/W
  • GetAddrInfoW
  • HttpSendRequestA/W
  • InternetWriteFile
  • LdrLoadDll
  • MoveFileA/W
  • NtEnumerateValueKey
  • NtQueryDirectoryFile
  • NtResumeThread
  • PR_Write
  • RegCreateKeyExA/W
  • send
  • URLDownloadToFileA/W
Additional information

When it runs, it performs a self-integrity check. If it fails, it shows the message box below and attempts to corrupt the hard drive by writing garbage data to the hard drive.

It also creates a mutex to avoid multiple instances of itself, and mark its presence. Most variants use "hex-Mutex", but others have been observed using random mutexes such as "t2f-Mutex" and"f4448e25-Mutex".

Additional resources

Analysis by Rex Plantado


Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:

    facebook-profile-pic-<random number>-JPEG.exe
    facebook-pic00<random number>.exe

  • You see the following message:


Prevention


Alert level: Severe
This entry was first published on: Jun 15, 2011
This entry was updated on: May 14, 2014

This threat is also detected as:
  • Win-Trojan/Injector.636416.D (AhnLab)
  • W32/Dorkbot.B.gen!Eldorado (Command)
  • Trojan.Injector!mcxcCCeftrA (VirusBuster)
  • W32.IRCBot.NG (Symantec)
  • WORM_DORKBOT.QUN (Trend Micro)
  • ngrBot (other)