Analysis by: Cris Nowell Pantanilla

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel: Dropped by other malware, Downloaded from the Internet, Propagates via instant messaging applications

This malware steals information that can compromise the user's online credentials and accounts. It also uses the Skype messenger application to distribute various threats, including ransomware, infostealers or updated copies of the malware itself. This can lead to further malware infection on the user, as well as other users.

To get a one-glance comprehensive view of the behavior of this Worm, refer to the Threat Diagram shown below.

This worm may be downloaded by other malware/grayware from remote sites.

  TECHNICAL DETAILS

File Size: 24,064 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 08 Oct 2012
Payload: Sends messages

Arrival Details

This worm may be downloaded by the following malware/grayware from remote sites:

  • WORM_DORKBOT.DN

It may be downloaded from the following remote sites:

  • http://{BLOCKED}e.com/dl/175341483/21ee863/h3480f.html

NOTES:
Once executed, it searches for the following processes if running in the system:

  • msnmsgr.exe
  • msmsgs.exe
  • skype.exe

It may be used as a component to send a message to the user's contacts containing a shortened link where copies of other malware can be downloaded:

  • http://{BLOCKED}o.{BLOCKED}l/{generated code}?{variable}={contact name}

Where {variable} is any of the following:

  • img
  • profile

{contact name} is the name of the recipient of the message.

Once clicked, the shortened link leads to this URL:

  • http://{BLOCKED}e.com/dl/175339084/d951071/skype_08102012_image.zip.html

Message sent via Skype:

  • {message} http://goo.gl{random}?img={contactname}
  • {message} http://goo.gl{random}?profile={contactname}

Where {message} is any of the following depends on the geographical location.

lol is this your new profile pic
hej to jest twój nowy obraz profil?
eínai aftí i néa fotografía profíl sas?
это новый аватар вашего профиля?))
سؤال هي صورتك ؟
moin, kaum zu glauben was für schöne fotos von dir auf deinem profil
hej er det din nye profil billede?
hej je to vasa nova slika profila
hey is dit je nieuwe profielfoto?
hei zhè shì ni de gèrén ziliào zhàopiàn ma?
tung, cka paske lyp ti nket fotografi?
hey c'est votre nouvelle photo de profil?
hey é essa sua foto de perfil? rsrsrsrsrsrsrs
¿hey esta es tu nueva foto de perfil?
ni phaph porfil khxng khun?
hej detta är din nya profilbild?
hey è la tua immagine del profilo nuovo?

  SOLUTION

Minimum Scan Engine: 9.200
FIRST VSAPI PATTERN FILE: 9.448.05
FIRST VSAPI PATTERN DATE: 08 Oct 2012
VSAPI OPR PATTERN File: 9.449.00
VSAPI OPR PATTERN Date: 09 Oct 2012

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Remove the malware/grayware file that dropped/downloaded WORM_DORKBOT.IF

Step 3

Identify and terminate files detected as WORM_DORKBOT.IF

[ Learn More ]
  1. Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
  2. If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
  3. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

Step 4

Scan your computer with your Trend Micro product to delete files detected as WORM_DORKBOT.IF. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.

Related Malware