Installation
Worm:Win32/Dorkbot.gen!A copies itself to the
%APPDATA% directory using a randomly generated six-letter file name (e.g. "
ozkqke.exe"). It modifies the following registry entry to execute this file at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<randomly generated 6 letter string>"
With data: "%appdata%\<randomly generated 6 letter string>.exe"
For example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "ozkqke"
With data: "%appdata%\ozkqke.exe"
Once running, the worm injects code into explorer.exe, as well as to many other running processes on the affected PC. Note that the number of processes it is capable of injecting into is dependent on whether it has been run with administrator privileges.
Spreads via…
Removable drives
The worm registers a device notification so that it is notified whenever a USB device is plugged into the computer. The worm then copies itself to the USB device, using a variable file name, and
creates an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Instant messaging/Instant Relay Chat
Using backdoor functionality (see Payload section below) the worm can be ordered by a remote attacker to spread via instant messaging platforms such as MSN, Pidgin chat, Xchat and mIRC. Messages are sent to all of an affected user's contacts. The messages sent, and the frequency at which the messages are sent are configured by the remote attacker.
Payload
Allows backdoor access and control
Worm:Win32/Dorkbot.gen!A connects to a particular IRC server, joins a channel and waits for commands. In the wild, we have observed the worm utilizing IRC servers on the following domains for this purpose:
-
shuwhyyu.com
-
lovealiy.com
-
syegyege.com
Using this backdoor, a remote attacker can perform a number of different actions on an affected computer. As well as being able to spread via instant messaging applications (detailed above), the worm can also be ordered to perform the following actions:
-
Obtain system information
The worm contacts api.wipmania.com for the affected computer's IP and location. It then collects the affected computer's operating system type, current user privilege level (i.e. whether the current user has administrator rights) and locale.
-
Protect itself
The worm can be instructed to prevent the affected user from viewing or tampering with its files. This is done by hooking the following functions for all processes inside which it is injected:
NtQueryDirectoryFile
NtEnumerateValueKey
CopyFileA/W
DeleteFileA/W
-
Modify system files
The worm can be instructed to overwrite the following files in order to hinder malware diagnosis and removal:
regsvr32.exe
cmd.exe
rundll32.exe
regedit.exe
verclsid.exe
ipconfig.exe
-
Steal passwords/sensitive data
The worm is capable of intercepting Internet browser communications with various websites and obtaining sensitive information. This is done by hooking various APIs within Firefox and Internet Explorer. The malware can also target FTP credentials.
-
Infect websites
The worm may be ordered to log into a remote FTP server and infect various HTML files by adding an IFrame. This action may facilitate the worm's spreading function.
-
Block access to security websites
The worm may be ordered to block user access to sites with the following strings in their domain:
avast.
avg.
avira.
bitdefender.
bullguard.
clamav.
comodo.
emsisoft.
eset.
fortinet.
f-secure.
garyshood.
gdatasoftware.
heck.tc
iseclab.
jotti.
kaspersky.
lavasoft.
malwarebytes.
mcafee.
necare.live.
norman.
norton.
novirusthanks
onlinemalwarescanner.
pandasecurity.
precisesecurity.
sophos.
sunbeltsoftware.
symantec
threatexpert.
trendmicro.
virscan.
virus.
virusbuster.nprotect.
viruschief.
virustotal.
webroot.
Using the backdoor, a remote attacker can also order the worm to:
-
Download and execute arbitrary files, including updates
-
Visit specified URLs
-
Perform DDoS (Distributed Denial of Service) attacks using SYN or UDP floods against specified targets
-
Stop the user downloading files with the following file extensions:
exe
com
pif
scr
Analysis by Matt McCormack
