WORM_DORKBOT: IRC Bots Rise Again?

Written by: Bernadette Irinco

WORM_DORKBOT or NgrBot is an Internet Relay Chat (IRC) bot used for distributed denial-of-service (DDoS) attacks. It became prevalent in the Latin American region in 2011. It has various modules enabling it to gather user information and propagate via instant messaging applications and social networking sites. It also receives commands from bot masters.

IRC bots issue commands via IRC communication protocol to allow cybercriminals to can send commands to infected systems. These bots became rampant during the outbreak era. They are not technically advanced compared with other newer threats such as KOOBFACE and ZBOT, but IRC bots remain effective in installing malware onto infected systems to steal hard-earned money from users.

How do users’ systems get infected?

Users may unknowingly download WORM_DORKBOT variants when visiting malicious sites. These may also arrive onto systems via removable drives. WORM_DORKBOT variants also infect users’ systems thru social networking sites and instant messaging (IM) applications.

What happens when users execute WORM_DORKBOT variants on their systems?

When executed, WORM_DORKBOT variants download other malicious files onto the infected systems. These also hook to several APIs to hide files, processes, and registries. This makes WORM_DORKBOT variants hard to detect and remove from users’ systems. Moreover, they block access to antivirus-related websites by also hooking to DnsQuery_A and DnsQuery_W APIs. DnsQuery_A and DnsQuery_W check if websites are available before resolving the IP address.

WORM_DORKBOT variants connect to an IRC server to join a channel. To generate the NICK or user name, they access http://api.wipmania.com/  to get the geographical location and IP address of the infected systems. They also monitor several websites with certain strings and steal login credentials from browsers. 

How do WORM_DORKBOT variants propagate?

Variants of this malware family spread via IM applications that send messages with a URL. This URL leads to downloading a copy of the malware. For the IM application MSN Messenger, WORM_DORKBOT monitors the MSN protocol and sends messages with a malicious link. It also spreads in social networking sites like Twitter and Facebook through messages carrying malicious links. Similarly, when users click these URLs; they are redirected to a site where a copy of the malware can be downloaded. Lastly, WORM_DORKBOT also propagates via removable drives. It creates an AUTORUN.INF file and drops a shortcut file (.LNK) that points to the copy of the malware.

What instant messaging applications and social networking sites do WORM_DORKBOT variants targeted?

WORM_DORKBOT variants target the following IM applications:
  • mIRC
  • MSN Messenger
  • Pidgin
  • Windows Live Messenger
  • XChat

They also target popular social networking websites like Twitter and Facebook to infect as many systems as possible.

How do WORM_DORKBOT variants affect users?

Users are at risk of losing their credentials, which the cybercriminals can sell in the underground or use for future attacks. WORM_DORKBOT variants can also download other malicious files and lead to further malware infection thus compromising the security of the infected systems. Moreover, cybercriminals may use compromised systems or bots to launch more DDoS attacks.

Why are WORM_DORKBOT variants noteworthy?

WORM_DORKBOT is a modularized IRC bot that can be purchased in the underground cybercrime economy. One of its modules is a password grabber that enables monitoring forms from certain websites via POST method. As such, cybercriminals can steal user credentials and other information.

WORM_DORKBOT variants also generate NICKs based on users’ locations. IRC users use NICKs as their user names when entering channels. Through generating this, cybercriminals may obtain the infected systems’ geographical location. As such, it is easier for bot masters to use infected systems or bots nearest to the targeted entities for launching DDoS attacks and other malicious activities. For instance, cybercriminals who may want to target a company in a certain country will use all bots or infected systems in that area to carry out an attack.

Are Trend Micro product users protected from this threat?

Trend Micro product users are protected from WORM_DORKBOT via the Trend Micro™ Smart Protection Network™  that detects all known variants. Users are strongly advised to secure their removable drives by disabling the AUTORUN feature. This can prevent WORM_DORKBOT variants from spreading.

Be wary with clicking messages sent via IM applications and social networking sites even they come from seemingly trusted sources.


“One of the factors of a malware’s increasing detection rate is the distribution of its source code or builder. For instance, when the ZeuS source code leaked, cybercriminals with little technical background used it for their nefarious activities. Similarly, Dorkbot’s builder is spreading in underground forums, making it readily available to those who can’t afford to buy bots to use for malicious purposes. “ – Jessa Dela Torre, Threat Researcher