Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Dorkbot.I.385
Date discovered:07/05/2012
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
File size:947.200 Bytes
MD5 checksum:e8e2ba08f9aff27eed45daa8dbde6159
VDF version:7.11.29.80 - Monday, May 7, 2012
IVDF version:7.11.29.80 - Monday, May 7, 2012

 General Methods of propagation:
    Autorun feature
   • Local network
    Messenger


Aliases:
   •  Kaspersky: Trojan.Win32.Bublik.jdb
   •  Sophos: Troj/Agent-YCW
   •  Eset: Win32/Dorkbot.B worm
     GData: Trojan.Generic.KDV.750742
     DrWeb: BackDoor.IRC.NgrBot.42
     Norman: Trojan W32/Injector.BMHF


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
    Can be used to modify system settings that allow or augment potential malware behaviour.
   • Registry modification

 Files It copies itself to the following location:
   • %appdata%\%six-digit random character string%.exe



The following file is created:

%appdata%\%1 digit random character string%.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.

 Registry One of the following values is added in order to run the process after reboot:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Bwzizj"="%appdata%\%six-digit random character string%.exe"

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • s177.hot**********.com
   • venus.time**********.pl


Event handler:
It creates the following Event handlers:
   • ReadProcessMemory
   • WriteProcessMemory
   • CreateRemoteThread
   • InternetReadFile
   • URLDownlaodToFile
   • InternetOpenURL
   • InternetOpen
   • CreateFile
   • GetAsyncKeyState


String:
Furthermore it contains the following strings:
   • SYN]: Starting flood on "%s:%d" for %d second(s)
   • UDP]: Starting flood on "%s:%d" for %d second(s)
   • HTTP]: Updated HTTP spread interval to "%s"
   • MSN]: Updated MSN spread message to "%s
   • facebook.*/ajax/chat/send.php*
   • friendster.*/sendmessage.php*
   • secure.logmein.*/*logincheck*
   • google.*/*ServiceLoginAuth*
   • screenname.aol.*/login.psp*
   • sms4file.com/*/signin-do*
   • vip-file.com/*/signin-do*
   • moneybookers.*/*login.pl
   • torrentleech.org/*login*
   • webnames.ru/*user_login*
   • bigstring.*/*index.php*
   • login.live.*/*post.srf*
   • depositfiles.*/*/login*
   • thepiratebay.org/login*
   • MSN-> Message Pwned :)!
   • MSN-> Done, MSG is sent
   • DNS]: Blocked DNS "%s"
   • login.yahoo.*/*login*
   • facebook.*/login.php*
   • runescape*/*weblogin*
   • mediafire.com/*login*
   • vkontakte.ru/api.php
   • friendster.*/rpc.php
   • icon=shell32.dll,7
   • steampowered*/login*
   • twitter.com/sessions
   • megaupload.*/*login*
   • sendspace.com/login*
   • 4shared.com/login*
   • hotfile.com/login*
   • netflix.com/*ogin*
   • godaddy.com/login*

 File details Programming language:
The malware program was written in Borland C++.

Description inserted by Wensin Lee on Monday, October 8, 2012
Description updated by Wensin Lee on Monday, October 8, 2012

Back . . . .