Installation
Worm:Win32/Dorkbot.AR may arrive as a link in an instant message that points to a copy of the worm that, if you click on the link, will download a copy of the worm to your computer. See the Skype section below for more details.
The worm may be present in the %TEMP% as a file name in the following format:
skype-img-<MM_DD-YYYY>.exe - for example, skype-img-04_04-2013.exe
When it runs, Worm:Win32/Dorkbot.AR copies itself to the %APPDATA% directory using a randomly generated 16-character file name. In the wild, we have observed the worm using the following file name:
zrjubbofwfmowfzs.exe
It modifies the following registry entry to ensure it runs each time you start your computer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<randomly generated 16 letter string>.exe"
With data: "%APPDATA%<randomly generated 16 letter string>.exe"
For example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "zrjubbofwfmowfzs .exe"
With data: "%AppData%\zrjubbofwfmowfzs.exe"
Spreads via…
Removable and shared drives
Worm:Win32/Dorkbot.AR creates a folder named “snkb0ptz” in all the accessible USB and mapped drives and drops the following files into the created folder:
- ...lnk - the worm's shortcut link
- ..lnk - the worm's shortcut link
- desktop.ini
- snkb0ptz.exe - a copy of the worm
- subst.lnk - the worm's shortcut link
This looks similar to the following screenshot:
The files autorun.inf and shortcut links all point to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
The three shortcut links also serve to try and trick you into clicking, and subsequently running the worm.
Skype
Worm:Win32/Dorkbot.AR can spread via Skype by downloading and installing another malware component; see the Payload section below for more details.
This malware component uses the Skype APIs to send a malicious link to all your Skype contacts at a specified time interval. If your contact receives and visits the link, Win32/Dorkbot is downloaded into your computer.
The message may differ based on your current location and locale, but one example is shown below:
Payload
Contacts remote Instant Relay Chat server
Worm:Win32/Dorkbot.AR generates an IRC 'nickname' by combining the country code, operating system version, user-type and a random string, using the following format:
n{<country code>-<OS version><user type>}<8 random characters>
For example, n{USA-XPx86a}gdpgqxjy
where:
- Operating system version could be any of the following: XP, 2K3, VIS, 2K8, W7, ERR (Error)
- Country code is a three-digit country code (for example, USA - USA, RU - RUS, etc)
- User-type is either 'a' (administrator) or 'u' (user)
Using the generated 'nickname' and the IRC server information from its internal configuration, it connects to the IRC server to retrieve further data or infection parameters such as download link, MSN or Skype message, and other information.
Worm:Win32/Dorkbot.AR connects to an IRC server, joins a channel and waits for commands. In the wild, we have observed the worm contacting the following IRC servers using TCP port 9000:
- f.eastmoon.pl
- gigasbh.org
- gigasphere.su
- h.opennews.su
- o.dailyradio.su
- photobeat.su
- s.richlab.pl
- uranus.kei.su
- xixbh.com
- xixbh.net
It downloads the Skype component from a hotfile domain, for example:
hotfile.com/dl/202145748/705bd55/haha.html
Downloads other malware
Win32/Dorkbot.AR downloads malicious component, detected as Worm:Win32/Skypii.A. This malware component is responsible for sending messages to your Skype contacts. The message contains a malicious link pointing to a Win32/Dorkbot download URL.
In this way, the worm can infect many users and form a viable botnet for different purposes.
Among the downloaded files is a Bitcoin miner, which is downloaded from:
petewake.com/faf
The Bitcoin miner is saved to the %TEMP% directory as a randomly-named file.
Additional information
This variant creates mutex named “snkb0ptz” so that only one instance of itself is running on your computer at any one time.
Worm:Win32/Dorkbot.AR may hook the following APIs, probably for either keylogging or monitoring activity to activate the bitcoin mining:
- kernel32.dll!GetConsoleOutputCP
- kernel32.dll!GetCurrentDirectoryW
- kernel32.dll!GetProcessHeap
- kernel32.dll!lstrcatA
- user32.dll!BroadcastSystemMessageW
- user32.dll!GetMessagePos
- user32.dll!IsCharAlphaNumericW
- user32.dll!SetRectEmpty
- user32.dll!VkKeyScanA
Analysis by Rex Plantado
