Worm:W32/Dorkbot.A

Classification

Malware

Worm

W32

Win32.Floppier.A, Floppier, Dorkbot, Worm:W32/Dorkbot.A, Worm.dorkbot.a, Worm:Win32/Dorkbot.A

Summary

Worm:W32/Dorkbot.A has backdoor and trojan capabilities, and spreads via removable drives and over Instant Messaging (IM) networks.

Removal

Automatic

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Network Disinfection

For general instructions on disinfecting a local network infection, please see Eliminating A Local Network Outbreak.

Additional Notes

The following precautionary security measures are also recommended to prevent further potential data loss until the machine/network is successfully disinfected:

  • The user should use a known clean machine to change their Skype login password.
  • Temporarily block both inbound and outbound connections for FTP and RDP on the infected machine.
Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Update (10 October 2012):

A recent run of Dorkbot worm activity has been observed spreading over the Skype messaging network. Like most such worms, this latest outbreak is spread in messages with social engineered messages such as:

  • Is that your pic: [malicious link]

If the malicious link is clicked, a malicious payload (also detected as Win32.Floppier.A) is dropped onto the user's machine. A successful infection results in a backdoor program being installed on the machine, which is capable of performing the following actions:

  • Intercepting and stealing the user's communications or login details (from browsers such as Internet Explorer and Firefox and during chat or FTP transmissions)
  • Performing file transfers
  • Establishing sYN or UDP flood
  • Blocking access to antivirus product update sites
  • Grabbing login credentials from the
  • Spreading itself by infecting USB sticks
  • Spreading itself through MSN
  • Detecting and killing other bot infections present on the machine
  • Reloading the backdoor when the system is rebooted

This latest run has the following additional characteristics:

  • The worm's payload file is dropped at C:\Documents and Settings\Administrator\Application Data\Olwuwi.exe
  • Once dropped, rootkit techniques are used to hide this file from detection by the operating system
  • When executed, the worm file injects code into the explorer.exe and winlogon.exe processes
  • It then attempts to establish communication to remote servers, in particular to retrieve geo-IP data
  • The Dorkbot samples we received also included malicious messages in the binary, including:
    • Message hijacked!
    • This binary is invalid. Main reason: you stupid cracker

Older details for variants in the Dorkbot family are listed below.

Propagation

Dorkbot.A propagates by creating a copy of itself in the %AppData% and RECYCLER directories of any available removable drives. Under default settings, these directories are normally hidden.

The worm next creates shortcut files on the removable drives, pointing to the locations of the worm copies in the hidden directories. If a user unwittingly clicks a worm-created shortcut, the worm copy it points to is executed.

Activity

While active, Dorkbot attempts to steal login information for a number of popular websites, including PayPal, Gmail, Netflix and Facebook.

The worm will also block access to specific domain names that include these strings (all related to antivirus vendors or security services):

  • webroot.
  • fortinet.
  • virusbuster.
  • nprotect.
  • gdatasoftware.
  • virus.
  • precisesecurity.
  • lavasoft.
  • heck.tc.
  • emsisoft.
  • onlinemalwarescanner.
  • onecare.live.
  • f-secure.
  • bullguard.
  • clamav.
  • pandasecurity.
  • sophos.
  • malwarebytes.
  • sunbeltsoftware.
  • norton.
  • norman.
  • mcafee.
  • symantec.
  • comodo.
  • avast.
  • avira.
  • avg.
  • bitdefender.
  • eset.
  • kaspersky.
  • trendmicro.
  • iseclab.
  • virscan.
  • garyshood.
  • viruschief.
  • jotti.
  • threatexpert.
  • novirusthanks.
  • virustotal.

Date Created: 2011-10-13 18:00:00.0

Date Last Modified: 2011-10-13 18:00:00.0