arrow_back
search
close

WORM_DORKBOT.UO

September 20, 2013
 Analysis by: Andrei Castillo
 ALIASES:

Trojan.GenericKDV.1269221(BitDefender), Worm:Win32/Dorkbot.I(Microsoft), a variant of Win32/Injector.AMWG trojan(NOD32), TR/Dorkbot.A.52(Antivir)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This worm arrives via removable drives.

It drops copies of itself into all the removable drives connected to an affected system.

It deletes the initially executed copy of itself.

  TECHNICAL DETAILS

File Size:

164,864 bytes

File Type:

EXE

Arrival Details

This worm arrives via removable drives.

Installation

This worm drops and executes the following files:

  • {drive letter}:\RECYCLER\{random recycler folder name}\{random file name}.exe
  • %Application Data%\{random characters}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It drops the following copies of itself into the affected system:

  • %Application Data%\ScreenSaverPro.scr
  • %Application Data%\temp.bin
  • %Application Data%\{random characters}.exe.gonewiththewings

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It creates the following folders:

  • {drive letter}:\RECYCLER\{random recycler folder name}

Autostart Technique

This worm creates the following registry entries to enable automatic execution of dropped component at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Screen Saver Pro 3.1 = "%Application Data%\ScreenSaverPro.scr"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
MSNetDKNowiz = "%Application Data%\{random characters}.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random value} = "{drive letter}:\RECYCLER\{random recycler folder name}\{random file name}.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\ CurrentVersion\Winlogon
Shell = "{drive letter}:\RECYCLER\{random recycler folder name}\{random file name}.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows NT\CurrentVersion\Winlogon
Taskman = "{drive letter}:\RECYCLER\{random recycler folder name}\{random file name}.exe"

Propagation

This worm drops copies of itself into all the removable drives connected to an affected system.

Other Details

This worm connects to the following possibly malicious URL:

  • http://{BLOCKED}i.{BLOCKED}ia.com

It deletes the initially executed copy of itself

NOTES:
It creates shortcut files naming it after all existing files and folders in the removable drive. It then sets the attributes of the original files and folders to Hidden to trick the user into clicking the shortcut files which executes its dropped copy on the drive.