Installation
When it runs, Worm:Win32/Dorkbot.A copies itself to the %APPDATA% directory using a randomly generated six letter file name (for example, "ozkqke.exe").
It modifies the following registry entry to ensure that it runs each time you start your computer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<randomly generated six letter string>"
With data: "%appdata%\<malware file name>.exe"
For example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "ozkqke"
With data: "%appdata%\ozkqke.exe"
Once running, the worm injects code into "explorer.exe", as well as to many other running processes on your computer. Note that the number of processes it is capable of injecting into is dependent on whether the currently logged-on user is running with Administrator privileges or not. Malware often does this in order to hide itself from security software.
Spreads via…
USB flash drives
The worm registers a device notification so that it is notified whenever a USB flash drive is plugged into your computer. The worm then copies itself to the rdrive, using a variable file name, and creates an Autorun configuration file named "autorun.inf" pointing to the malware. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Instant messaging/Instant Relay Chat (IRC)
Using backdoor functionality the worm can be ordered by a hacker to spread via instant messaging platforms such as MSN, Pidgin chat, Xchat and mIRC. Messages are sent to all of your contacts. The messages sent, and the frequency at which the messages are sent are configured by the hacker.
Payload
Allows backdoor access and control
Worm:Win32/Dorkbot.A connects to a particular IRC server, joins a channel and waits for commands. In the wild, we have observed the worm using IRC servers on the following domains for this purpose:
- lovealiy.com
- shuwhyyu.com
- syegyege.com
Using this backdoor, a hacker can perform a number of different actions on your computer. As well as being able to spread via instant messaging applications, the worm can also be ordered to perform the following actions:
- Get information about your computer
The worm contacts "api.wipmania.com" for your computer's IP and location. It then collects your computer's operating system type, current user privilege level (for example, whether you have administrator rights) and locale
- Protect itself
The worm can be instructed to prevent you from viewing or tampering with its files. This is done by hooking the following functions for all processes inside which it is injected:
- CopyFileA/W
- DeleteFileA/W
- NtEnumerateValueKey
- NtQueryDirectoryFile
- Change your computer's files; the worm can be instructed to overwrite the following files in order to prevent itself from being detected and removed:
- cmd.exe
- ipconfig.exe
- regedit.exe
- regsvr32.exe
- rundll32.exe
- verclsid.exe
- Steal passwords/sensitive data; the worm is capable of intercepting Internet browser communications with various websites and obtaining sensitive information. This is done by hooking various APIs within Firefox and Internet Explorer. The malware can also target FTP credentials
- Infect websites; the worm may be ordered to log into a remote FTP server and infect various HTML files by adding an IFrame; this action may help the worm to spread
- Block access to security websites; the worm may be ordered to block user access to sites with the following strings in their domain:
- avast.
- avg.
- avira.
- bitdefender.
- bullguard.
- clamav.
- comodo.
- emsisoft.
- eset.
- fortinet.
- f-secure.
- garyshood.
- gdatasoftware.
- heck.tc
- iseclab.
- jotti.
- kaspersky.
- lavasoft.
- malwarebytes.
- mcafee.
- necare.live.
- norman.
- norton.
- novirusthanks
- onlinemalwarescanner.
- pandasecurity.
- precisesecurity.
- sophos.
- sunbeltsoftware.
- symantec
- threatexpert.
- trendmicro.
- virscan.
- virus.
- virusbuster.nprotect.
- viruschief.
- virustotal.
- webroot.
Using the backdoor, a hacker can also order the worm to:
- Download and run files, including updates
- Visit specified URLs
- Perform DDoS (Distributed Denial of Service) attacks using SYN or UDP floods against a specified target
- Stop you from downloading files with the following file extensions:
Analysis by Matt McCormack