WORM_DORKBOT.WRF

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following files:

• {Drive Letter}:\ViewFiles.lnk - detected as LNK_DORKBOT.WRF
• {Drive Letter}:\{Folder/File Name}.lnk - detected as LNK_DORKBOT.WRF
• %Application Data%\ScreenSaverPro.scr - also detected as WORM_DORKBOT.WRF
• %Application Data%\temp.bin - also detected as WORM_DORKBOT.WRF

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It adds the following processes:

• svchost.exe
• mspaint.exe

It injects itself into the following processes as part of its memory residency routine:

• created svchost.exe
• created mspaint.exe
• winlogon.exe
• explorer.exe

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Screen Saver Pro 3.1 = "%Application Data%\ScreenSaverPro.scr"

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

• {Drive Letter}:\{random}.exe
• {Drive Letter}:\ViewFiles.cmd

It sends messages that contain links to sites hosting remote copies of itself using the following instant-messaging (IM) applications:

• MSN Messenger
• mIRC

Backdoor Routine

This worm executes the following commands from a remote malicious user:

• Block DNS
• Create processes
• Download other files
• Insert iFrame tags into HTML files
• Join an IRC channel
• Log in to FTP sites
• Perform Slowloris, UDP, and SYN flooding
• Run Reverse Socks4 proxy server
• Send MSN Messenger messages
• Steal login credentials
• Update itself
• Visit a web site

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}.{BLOCKED}.157.7:6538
• {BLOCKED}.{BLOCKED}0.com
• {BLOCKED}.{BLOCKED}.169.35
• {BLOCKED}.{BLOCKED}.92.168

Download Routine

This worm connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}.{BLOCKED}.31.188/38.exe
• http://{BLOCKED}.{BLOCKED}.155.171/38.exe
• http://{BLOCKED}.{BLOCKED}.169.105/38.exe
• http://{BLOCKED}.{BLOCKED}.177.199/3300.exe

It saves the files it downloads using the following names:

• %Application Data%\{random digit}.exe - detected as TROJ_LETHIC.WRF

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Other Details

This worm connects to the following URL(s) to get the affected system's IP address:

• http://api.wipmania.com/

NOTES:
It monitors the user's browsing activities. It gathers the user's login ID, password and email when the site accessed by the user contains the following strings:

• *.moneybookers.*/*login.pl
• *1and1.com/xml/config*
• *4shared.com/login*
• *:2082/login*
• *:2083/login*
• *:2086/login*
• *:2222/CMD_LOGIN*
• *FLN-Password=*
• *LoginPassword=*
• *Passwd=*
• *Password=*
• *TextfieldPassword=*
• *alertpay.com/login*
• *aol.*/*login.psp*
• *bcointernacional*login*
• *bebo.*/c/home/ajax_post_lifestream_comment
• *bebo.*/c/profile/comment_post.json
• *bebo.*/mail/MailCompose.jsp*
• *bigstring.*/*index.php*
• *clave=*
• *depositfiles.*/*/login*
• *dotster.com/*login*
• *dyndns*/account*
• *enom.com/login*
• *facebook.*/ajax/*MessageComposerEndpoint.php*
• *facebook.*/ajax/chat/send.php*
• *facebook.*/login.php*
• *fastmail.*/mail/*
• *fileserv.com/login*
• *filesonic.com/*login*
• *freakshare.com/login*
• *friendster.*/rpc.php
• *friendster.*/sendmessage.php*
• *gmx.*/*FormLogin*
• *godaddy.com/login*
• *google.*/*ServiceLoginAuth*
• *hackforums.*/member.php
• *hotfile.com/login*
• *letitbit.net*
• *login.live.*/*post.srf*
• *login.yahoo.*/*login*
• *loginUserPassword=*
• *login_password=*
• *mediafire.com/*login*
• *megaupload.*/*login*
• *members*.iknowthatgirl*/members*
• *members.brazzers.com*
• *moniker.com/*Login*
• *namecheap.com/*login*
• *netflix.com/*ogin*
• *netload.in/index*
• *officebanking.cl/*login.asp*
• *oron.com/login*
• *paypal.*/webscr?cmd=_login-submit*
• *runescape*/*weblogin*
• *screenname.aol.*/login.psp*
• *secure.logmein.*/*logincheck*
• *sendspace.com/login*
• *service=youtube*
• *signin.ebay*SignIn
• *sms4file.com/*/signin-do*
• *speedyshare.com/login*
• *steampowered*/login*
• *thepiratebay.org/login*
• *torrentleech.org/*login*
• *twitter.*/*direct_messages/new*
• *twitter.*/*status*/update*
• *twitter.com/sessions
• *uploaded.to/*login*
• *uploading.com/*login*
• *vip-file.com/*/signin-do*
• *vkontakte.ru/api.php
• *vkontakte.ru/mail.php
• *vkontakte.ru/wall.php
• *webnames.ru/*user_login*
• *what.cd/login*
• *whcms*dologin*
• *youporn.*/login*

It attempts to steal user credentials used in the following websites:

• 1and1
• 4shared
• Alertpay
• Bcointernacional
• Bebo
• BigString
• Brazzers
• Clave
• Depositfiles
• Dotster
• DynDNS
• Ebay
• Email
• FLN-Password
• FLN-UserName
• Facebook
• Fastmail
• Fileserve
• Filesonic
• Freakshare
• Friendster
• Gmail
• Godaddy
• Hackforums
• Hotfile
• IKnowThatGirl
• Letitbit
• LogMeIn
• Mediafire
• Megaupload
• Message
• Moneybookers
• Moniker
• Namecheap
• Netflix
• Netload
• OfficeBanking
• Passwd
• PayPal
• Runescape
• Sendspace
• Sms4file
• Speedyshare
• Steam
• Thepiratebay
• Torrentleech
• Twitter
• Uploaded
• Uploading.com
• Vip-file
• Vkontakte
• Webnames
• Whatcd
• Yahoo
• YouPorn
• YouTube

It may also prevent the user from using the following applications:

• cmd.exe
• ipconfig.exe
• regedit.exe
• regsvr32.exe
• rundll32.exe
• verclsid.exe

It drops shortcut (.LNK) files named after the folders/files found in the removable drives which points to the copy of itself in the removable drives.

The target property of the .LNK file contains the following format:

• %ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe /c %SystemRoot%\explorer.exe %cd%{Target Folder/File} start %cd%{malware copy}.exe exit

Then, it sets the folders' attribute to HIDDEN.

It propagates via the following social media networks:

• Bebo (Comment, Message)
• Friendster (Message, Comment, Shoutout, Chat)
• Twitter (Tweet, Message)
• Facebook (Message, Chat, Status)

It monitors if browser accesses URLs with following strings:

• avast
• avira
• bitdefender
• bullguard
• clamav
• comodo
• emsisoft
• eset
• f-secure
• fortinet
• garyshood
• gdatasoftware
• heck.tc
• iseclab
• jotti
• kaspersky
• lavasoft
• malwarebytes
• mcafee
• norman
• norton
• novirusthanks
• nprotect
• onecare.live
• onlinemalwarescanner
• pandasecurity
• precisesecurity
• sophos
• sunbeltsoftware
• symantec
• threatexpert
• trendmicro
• virscan
• virus
• virusbuster
• viruschief
• virustotal
• webroot