Update (10 October 2012):
A recent run of Dorkbot worm activity has been observed spreading over the Skype messaging network. Like most such worms, this latest outbreak is spread in messages with social engineered messages such as:
- Is that your pic: [malicious link]
If the malicious link is clicked, a malicious payload (also detected as Win32.Floppier.A) is dropped onto the user's machine. A successful infection results in a backdoor program being installed on the machine, which is capable of performing the following actions:
- Intercepting and stealing the user's communications or login details (from browsers such as Internet Explorer and Firefox and during chat or FTP transmissions)
- Performing file transfers
- Establishing sYN or UDP flood
- Blocking access to antivirus product update sites
- Grabbing login credentials from the
- Spreading itself by infecting USB sticks
- Spreading itself through MSN
- Detecting and killing other bot infections present on the machine
- Reloading the backdoor when the system is rebooted
This latest run has the following additional characteristics:
- The worm's payload file is dropped at C:\Documents and Settings\Administrator\Application Data\Olwuwi.exe
- Once dropped, rootkit techniques are used to hide this file from detection by the operating system
- When executed, the worm file injects code into the explorer.exe and winlogon.exe processes
- It then attempts to establish communication to remote servers, in particular to retrieve geo-IP data
- The Dorkbot samples we received also included malicious messages in the binary, including:
- Message hijacked!
- This binary is invalid. Main reason: you stupid cracker
Older details for variants in the Dorkbot family are listed below.
Dorkbot.A propagates by creating a copy of itself in the %AppData% and RECYCLER directories of any available removable drives. Under default settings, these directories are normally hidden.
The worm next creates shortcut files on the removable drives, pointing to the locations of the worm copies in the hidden directories. If a user unwittingly clicks a worm-created shortcut, the worm copy it points to is executed.
While active, Dorkbot attempts to steal login information for a number of popular websites, including PayPal, Gmail, Netflix and Facebook.
The worm will also block access to specific domain names that include these strings (all related to antivirus vendors or security services):