Win32/Dorkbot [Threat Name] go to Threat
Win32/Dorkbot.B [Threat Variant Name]
Category | worm |
Size | 172032 B |
Aliases | Worm.Win32.Ngrbot.gqj (Kaspersky) |
W32/Kolab.gen.p (McAfee) | |
Worm:Win32/Dorkbot (Microsoft) |
Short description
Win32/Dorkbot.B is a worm that spreads via removable media. The worm serves as a backdoor. It can be controlled remotely.
Installation
When executed, the worm copies itself into the following location:
- %appdata%\%variable%.exe
In order to be executed on every system start, the worm sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable%" = "%appdata%\%variable%.exe"
A string with variable content is used instead of %variable% .
The worm creates and runs a new thread with its own program code in all running processes except the following:
- lsass.exe
Spreading on removable media
Win32/Dorkbot.B is a worm that spreads via removable media.
The worm copies itself to the following location:
- %removabledrive%\RECYCLER\%variable%.exe
A string with variable content is used instead of %variable% .
The worm creates the following file:
- %removabledrive%\RECYCLER.lnk
The file is a shortcut to a malicious file.
The worm may create the following files:
- %removabledrive%\%existingfoldername%.lnk
Spreading
Worm is spread via links in social networking sites.
The following social networking sites are affected:
- Bebo
- Friendster
- VKontakte
Information stealing
The worm collects sensitive information when the user browses certain web sites.
The worm gathers information related to the following services:
- 4shared
- Alertpay
- AOL
- Bcointernacional
- BigString
- Brazzers
- Depositfiles
- DynDNS
- eBay
- Fastmail
- Fileserve
- Filesonic
- Freakshare
- Gmail
- GMX
- Godaddy
- Hackforums
- Hotfile
- IKnowThatGirl
- Letitbit
- Live
- LogMeIn
- Mediafire
- Megaupload
- Moneybookers
- Moniker
- Namecheap
- Netflix
- Netload
- OfficeBanking
- Oron
- PayPal
- Runescape
- Sendspace
- Sms4file
- Speedyshare
- Steam
- Thepiratebay
- Torrentleech
- Uploading
- Vip-file
- Webnames
- Whatcd
- Yahoo
- YouPorn
- YouTube
The following information is collected:
- login user names for certain applications/services
- login passwords for certain applications/services
- POP3 account information
- FTP account information
The worm attempts to send gathered information to a remote machine. The HTTP protocol is used.
Other information
The worm serves as a backdoor. It can be controlled remotely.
The worm connects to the following addresses:
- bt1.yakizzy.com
- bt1.oyoba.com
- bt1.divalium.com
The IRC protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- update itself to a newer version
- perform DoS/DDoS attacks
- spread via removable drives
- spread via MSN network
- monitor network traffic
- modify network traffic
- redirect network traffic
- block access to specific websites
- post messages on social networks
- insert IFRAME tag(s) into HTML pages with a specific URL pointing to malicious software
- open a specific URL address
- set up a proxy server
- send gathered information
The worm blocks access to any domains that contain any of the following strings in their name:
- avast
- avg
- avira
- bitdefender
- bullguard
- clamav
- comodo
- emsisoft
- eset
- fortinet
- f-secure
- garyshood
- gdatasoftware
- heck.tc
- iseclab
- jotti
- kaspersky
- lavasoft
- malwarebytes
- mcafee
- norman
- norton
- novirusthanks
- onecare.live
- onlinemalwarescanner
- pandasecurity
- precisesecurity
- sophos
- sunbeltsoftware
- symante
- threatexpert
- trendmicro
- virscan
- virus
- virusbuster.nprotect
- viruschief
- virustotal
- webroot
The worm hooks the following Windows APIs:
- ZwEnumerateValueKey (ntdll.dll)
- ZwQueryDirectoryFile (ntdll.dll)
- NtEnumerateValueKey (ntdll.dll)
- NtQueryDirectoryFile (ntdll.dll)
- CopyFileA (kernel32.dll)
- CopyFileW (kernel32.dll)
- MoveFileA (kernel32.dll)
- MoveFileW (kernel32.dll)
- CreateFileA (kernel32.dll)
- CreateFileW (kernel32.dll)
- DnsQuery_A (dnsapi.dll)
- DnsQuery_W (dnsapi.dll)
- send (ws2_32.dll)
- getaddrinfo (ws2_32.dll)
- HttpSendRequestA (wininet.dll)
- HttpSendRequestW (wininet.dll)
- InternetWriteFile (wininet.dll)