Win32/Dorkbot [Threat Name] go to Threat

Win32/Dorkbot.B [Threat Variant Name]

Category worm
Size 172032 B
Detection created May 16, 2011
Signature database version 10000
Aliases Worm.Win32.Ngrbot.gqj (Kaspersky)
  W32/Kolab.gen.p (McAfee)
  Worm:Win32/Dorkbot (Microsoft)
Short description

Win32/Dorkbot.B is a worm that spreads via removable media. The worm serves as a backdoor. It can be controlled remotely.

Installation

When executed, the worm copies itself into the following location:

  • %appdata%\­%variable%.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%" = "%appdata%\­%variable%.exe"

A string with variable content is used instead of %variable% .


The worm creates and runs a new thread with its own program code in all running processes except the following:

  • lsass.exe
Spreading on removable media

Win32/Dorkbot.B is a worm that spreads via removable media.


The worm copies itself to the following location:

  • %removabledrive%\­RECYCLER\­%variable%.exe

A string with variable content is used instead of %variable% .


The worm creates the following file:

  • %removabledrive%\­RECYCLER.lnk

The file is a shortcut to a malicious file.


The worm may create the following files:

  • %removabledrive%\­%existingfoldername%.lnk
Spreading

Worm is spread via links in social networking sites.


The following social networking sites are affected:

  • Bebo
  • Facebook
  • Friendster
  • Twitter
  • VKontakte
Information stealing

The worm collects sensitive information when the user browses certain web sites.


The worm gathers information related to the following services:

  • 4shared
  • Alertpay
  • AOL
  • Bcointernacional
  • BigString
  • Brazzers
  • Depositfiles
  • DynDNS
  • eBay
  • Facebook
  • Fastmail
  • Fileserve
  • Filesonic
  • Freakshare
  • Gmail
  • GMX
  • Godaddy
  • Hackforums
  • Hotfile
  • IKnowThatGirl
  • Letitbit
  • Live
  • LogMeIn
  • Mediafire
  • Megaupload
  • Moneybookers
  • Moniker
  • Namecheap
  • Netflix
  • Netload
  • OfficeBanking
  • Oron
  • PayPal
  • Runescape
  • Sendspace
  • Sms4file
  • Speedyshare
  • Steam
  • Thepiratebay
  • Torrentleech
  • Twitter
  • Uploading
  • Vip-file
  • Webnames
  • Whatcd
  • Yahoo
  • YouPorn
  • YouTube

The following information is collected:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • POP3 account information
  • FTP account information

The worm attempts to send gathered information to a remote machine. The HTTP protocol is used.

Other information

The worm serves as a backdoor. It can be controlled remotely.


The worm connects to the following addresses:

  • bt1.yakizzy.com
  • bt1.oyoba.com
  • bt1.divalium.com

The IRC protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • perform DoS/DDoS attacks
  • spread via removable drives
  • spread via MSN network
  • monitor network traffic
  • modify network traffic
  • redirect network traffic
  • block access to specific websites
  • post messages on social networks
  • insert IFRAME tag(s) into HTML pages with a specific URL pointing to malicious software
  • open a specific URL address
  • set up a proxy server
  • send gathered information

The worm blocks access to any domains that contain any of the following strings in their name:

  • avast
  • avg
  • avira
  • bitdefender
  • bullguard
  • clamav
  • comodo
  • emsisoft
  • eset
  • fortinet
  • f-secure
  • garyshood
  • gdatasoftware
  • heck.tc
  • iseclab
  • jotti
  • kaspersky
  • lavasoft
  • malwarebytes
  • mcafee
  • norman
  • norton
  • novirusthanks
  • onecare.live
  • onlinemalwarescanner
  • pandasecurity
  • precisesecurity
  • sophos
  • sunbeltsoftware
  • symante
  • threatexpert
  • trendmicro
  • virscan
  • virus
  • virusbuster.nprotect
  • viruschief
  • virustotal
  • webroot

The worm hooks the following Windows APIs:

  • ZwEnumerateValueKey (ntdll.dll)
  • ZwQueryDirectoryFile (ntdll.dll)
  • NtEnumerateValueKey (ntdll.dll)
  • NtQueryDirectoryFile (ntdll.dll)
  • CopyFileA (kernel32.dll)
  • CopyFileW (kernel32.dll)
  • MoveFileA (kernel32.dll)
  • MoveFileW (kernel32.dll)
  • CreateFileA (kernel32.dll)
  • CreateFileW (kernel32.dll)
  • DnsQuery_A (dnsapi.dll)
  • DnsQuery_W (dnsapi.dll)
  • send (ws2_32.dll)
  • getaddrinfo (ws2_32.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetWriteFile (wininet.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.