Follow:

 

Worm:Win32/Dorkbot.I


Microsoft security software detects and removes this threat.

This worm can steal usernames and passwords, block websites, and launch a denial of service (DoS) attack.

There is more information in the Win32/Dorkbot family description.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Scan removable drives

Remember to scan any removable or portable drives. If you have Microsoft security software, see this topic on our software help page:

Disable Autorun

This threat tries to use the Windows Autorun function to spread via removable drives, like USB flash drives. You can disable Autorun to prevent worms from spreading:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Dorkbot.I can arrive as a link through in an instant message or social network message; the link points to a copy of the worm that can be downloaded and run on your PC. The worm might use any of these file name formats:

  • facebook-profile-pic-<random number>-JPEG.exe
  • facebook-pic00<random number>.exe
  • skype_<DDMMYYYY>_foto.exe , where <DDMMYYYY> is the day, ,month, and year, for example, skype_06102012_foto.exe
  • skype_<DD-MM-YYYY>_foto.exe , where <DD-MM-YYYY> is the day, ,month, and year, for example, skype_09-10-2012_image.exe

When run, Dorkbot.I copies itself to the %APPDATA% folder using a randomly generated six letter file name, which is based on the HDD serial number, by calling GetVolumeInformation() API (for example, ozkqke.exe).

It changes the following registry entry to ensure that its copy runs at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<randomly generated six letter string>"
With data: "%APPDATA%\<randomly generated six letter string>.exe"

For example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "ozkqke"
With data: "%APPDATA%\ozkqke.exe".

Spreads via…

Removable drives

Dorkbot.I creates a folder named RECYCLER in all the accessible USB drives, and registers it as a Recycle Bin folder. The worm registers a device notification so that it is notified whenever a USB device is plugged into the affected PC. It then copies itself to the USB device, using a variable file name, and creates an Autorun configuration file named autorun.inf pointing to the worm copy. When the drive is accessed from a PC supporting the Autorun feature, the worm is launched automatically.

Instant messaging/Instant relay chat

The worm can be ordered by a malicious hacker using backdoor functionality to spread via instant messaging platforms like Windows Live Messenger, Pidgin chat, Xchat and mIRC.

Messages are sent to all of your contacts. The messages sent, and the frequency at which the messages are sent are configured by the malicious hacker.

Social networks

Dorkbot.I can be ordered to spread via social network services like Facebook, Twitter, Bebo, and Vkontakte (a Russian social network). Similar to instant messaging spreading, the worm will hijack the sent message and replace it with its own message that contains the link to the worm’s copy. The number of messages sent before the worm will inject its own message with a malicious link is also configured by the malicious hacker.

Skype

Some Win32/Dorkbot variants can spread via Skype by first downloading and installing another component malware.

The malicious malware component uses the Skype APIs to send a malicious link to all the contacts at a specified time interval. The message that contains the malicious link might look like the following:

If your contact receives and visit the link, Win32/Dorkbot is downloaded into your PC.

The message might be different based on your current location and locale.

Payload

Lets a malicious hacker control your PC

Dorkbot.I connects to an IRC server, joins a channel and waits for commands. In the wild, we have observed the worm using IRC servers on the following domains for this purpose:

  • shuwhyyu.com
  • lovealiy.com
  • syegyege.com
  • av.shannen.cc

Using this backdoor, a malicious hacker can do a number of different actions on your PC. As well as being able to spread via instant messaging applications, the worm can also be ordered to do the following:

  • Get information about your PC
  • Protect itself

The worm uses a user-mode rootkit to prevent you from viewing or tampering with its files. This is done by hooking the following functions for all processes inside which it is injected:

  • NtQueryDirectoryFile
  • NtEnumerateValueKey
  • CopyFileA/W
  • DeleteFileA/W

Injects code

When run, the worm injects code into explorer.exe, as well as to many other running processes on your PC. Note that the number of processes it is capable of injecting into is dependent on whether it has been run with administrator privileges.

Contacts remote host

Dorkbot.I generates an IRC nickname by connecting to api.wipmania, combining the country code, operating system version, user-type and a random string, using the following format:

n{<country code>|<OS version><user type>}<random string>

where:

  • Operating system version - could be any of the following: XP, 2K3, VIS, 2K8, W7, ERR (Error)
  • Country code is a two digit country code (for example US - USA, RU - Russia, etc)
  • User-type is either a (administrator) or u (user)

Example nickname: n{US|XPa}xkfnalw

Using the generated nickname and the IRC server information from its internal configuration, it connects to the IRC server to retrieve further data or infection parameters like download link, Windows Live Messenger message, and domain lists among other information.

Dorkbot.I can accept commands from the malicious hacker to do one or more of the following:

  • Download a file from specified URL and run it
  • Update its main executable from specified URL and wait until next restart to run (or, if specified in the command, to restart immediately)
  • Collect logons and passwords from form grabbing, FTP, POP3, Internet Explorer and Firefox cached logons
  • Block or redirects certain domains and websites
  • Show infection statistics
  • Launch and stop denial of service (SYN and UDP flood)
  • Spread via USB, instant messaging, and social networks
  • Change Windows Live Messenger and HTTP spreading message
  • Report back information about the bot

If logging is enabled by the malicious hacker, every command is logged and sent to the IRC server and displayed in the IRC channel where the bot is connected.

Hooks APIs

Dorkbot.I hooks several APIs for various purposes, like hiding its components (like registry entries and dropped file and process names), spreading and sniffing usernames and passwords. Some examples that we have observed Dorkbot.I hooking in the wild are:

  • CopyFileA/W
  • CreateFileA/W
  • DeleteFileA/W
  • DnsQuery_A/W
  • GetAddrInfoW
  • HttpSendRequestA/W
  • InternetWriteFile
  • LdrLoadDll
  • MoveFileA/W
  • NtEnumerateValueKey
  • NtQueryDirectoryFile
  • NtResumeThread
  • PR_Write
  • RegCreateKeyExA/W
  • send
  • URLDownloadToFileA/W


Deletes files

Dorkbot.I contains instructions to delete downloaded and already run files after reboot. It needs this feature to be turned on by the malicious hacker. After installation, Dorkbot.I deletes its initial dropper executable.

Removes files

Dorkbot.I uses behavior monitoring to identify and delete files that appear to communicate via IRC or exhibit worm behavior like spreading via removable drives or USB media.

Overwrites legitimate files

The worm can be instructed to overwrite the following files in order to hinder malware diagnosis and removal:

  • regsvr32.exe
  • cmd.exe
  • rundll32.exe
  • regedit.exe
  • verclsid.exe
  • ipconfig.exe

Steals sensitive information

The worm is capable of intercepting Internet browser communications with various websites, and obtaining sensitive information. This is done by hooking various APIs within Firefox and Internet Explorer. The worm can also target FTP credentials.

Dorkbot.I targets websites with the following strings in its URL from which to steal user names and passwords:

  • 1and1
  • 4shared
  • Alertpay
  • AOL
  • Bcointernacional
  • BigString
  • Brazzers
  • clave
  • Depositfiles
  • DirectAdmin
  • Dotster
  • DynDNS
  • eBay
  • Enom
  • Facebook
  • Fastmail
  • Fileserve
  • Filesonic
  • Freakshare
  • Gmail
  • GMX
  • Godaddy
  • Hackforums
  • Hotfile
  • IKnowThatGirl
  • Letitbit
  • LogMeIn
  • Mediafire
  • Megaupload
  • Moneybookers
  • Moniker
  • Namecheap
  • Netflix
  • Netload
  • NoIP
  • OfficeBanking
  • Oron
  • PayPal
  • Runescape
  • Sendspace
  • Sms4file
  • Speedyshare
  • Steam
  • Thepiratebay
  • Torrentleech
  • Twitter
  • Uploaded
  • Uploading
  • Vip-file
  • Webnames
  • Whatcd
  • WHMCS
  • Yahoo
  • YouPorn
  • YouTube

It monitors login credentials if you visit a website with any of the URLs:

  • *.moneybookers.*/*login.pl
  • *1and1.com/xml/config*
  • *4shared.com/login*
  • *:2082/login*
  • *:2083/login*
  • *:2086/login*
  • *:2222/CMD_LOGIN*
  • *alertpay.com/login*
  • *aol.*/*login.psp*
  • *bcointernacional*login*
  • *bigstring.*/*index.php*
  • *clave=*
  • *depositfiles.*/*/login*
  • *dotster.com/*login*
  • *dyndns*/account*
  • *enom.com/login*
  • *facebook.*/login.php*
  • *fastmail.*/mail/*
  • *fileserv.com/login*
  • *filesonic.com/*login*
  • *freakshare.com/login*
  • *gmx.*/*FormLogin*
  • *godaddy.com/login*
  • *google.*/*ServiceLoginAuth*
  • *hackforums.*/member.php
  • *letitbit.net*
  • *login.yahoo.*/*login*
  • *mediafire.com/*login*
  • *megaupload.*/*login*
  • *members*.iknowthatgirl*/members*
  • *members.brazzers.com*
  • *moniker.com/*Login*
  • *namecheap.com/*login*
  • *netflix.com/*ogin*
  • *netload.in/index*
  • *no-ip*/login*
  • *oron.com/login*
  • *Passwd=*
  • *paypal.*/webscr?cmd=_login-submit*
  • *runescape*/*weblogin*
  • *secure.logmein.*/*logincheck*
  • *sendspace.com/login*
  • *signin.ebay*SignIn
  • *sms4file.com/*/signin-do*
  • *speedyshare.com/login*
  • *steampowered*/login*
  • *thepiratebay.org/login*
  • *torrentleech.org/*login*
  • *twitter.com/sessions
  • *uploaded.to/*login*
  • *uploading.com/*login*
  • *vip-file.com/*/signin-do*
  • *webnames.ru/*user_login*
  • *what.cd/login*
  • *whcms*dologin*
  • *youporn.*/login*

where * is any string.

Infects websites

The worm can be ordered to log into a remote FTP server and infect various HTML files by adding an IFrame. This action helps the worm spread.

Blocks access to security websites

The worm can be ordered to block user access to sites with the following strings in their domain:

  • avast
  • avg
  • avira
  • bitdefender
  • bullguard
  • clamav
  • comodo
  • emsisoft
  • eset
  • fortinet
  • f-secure
  • garyshood
  • gdatasoftware
  • heck.tc
  • iseclab
  • jotti
  • kaspersky
  • lavasoft
  • malwarebytes
  • mcafee
  • onecare.live
  • norman
  • norton
  • novirusthank
  • onlinemalwarescanner
  • pandasecurity
  • precisesecurity
  • sophos
  • sunbeltsoftware
  • symantec
  • threatexpert
  • trendmicro
  • virscan
  • virus
  • virusbuster
  • nprotect
  • viruschief
  • virustotal
  • webroot

The worm might also download additional or updated domain list from a remote website.

Additional information

When run, the worm dos a self-integrity check. If it fails, it shows the message box below and tries to corrupt the hard drive by writing garbage data to the hard drive.

It also creates a mutex to avoid multiple instances of itself, and mark its presence. Most variants use hex-Mutex, but others have been observed using random mutex like t2f-Mutex and f4448e25-Mutex.

Analysis by Rex Plantado


Symptoms

The following could indicate that you have this threat on your PC:

  • You have any of these files:
    • facebook-profile-pic-<random number>-JPEG.exe
    • facebook-pic00<random number>.exe
    • skype_<DDMMYYYY>_foto.exe, where <DDMMYYYY> is the day, ,month, and year, for example, skype_06102012_foto.exe
    • skype_<DD-MM-YYYY>_foto.exe, where <DD-MM-YYYY> is the day, ,month, and year, for example, skype_09-10-2012_image.exe
  • You see the following error:

  • You might receive a message from a Skype contact that looks similar to the following:


Prevention


Alert level: Severe
First detected by definition: 1.105.2002.0
Latest detected by definition: 1.185.1642.0 and higher
First detected on: Jun 15, 2011
This entry was first published on: Jun 15, 2011
This entry was updated on: Sep 15, 2014

This threat is also detected as:
  • Win-Trojan/Injector.636416.D (AhnLab)
  • W32/Dorkbot.B.gen!Eldorado (Command)
  • Trojan.Injector!mcxcCCeftrA (VirusBuster)
  • W32.IRCBot.NG (Symantec)
  • WORM_DORKBOT.QUN (Trend Micro)