Threat Descriptions

Worm:W32/Dorkbot.A

Classification

Category :

Malware

Type :

Worm

Platform :

W32

Aliases :

Win32.Floppier.A, Floppier, Dorkbot, Worm:W32/Dorkbot.A, Worm.dorkbot.a, Worm:Win32/Dorkbot.A

Summary

Worm:W32/Dorkbot.A has backdoor and trojan capabilities, and spreads via removable drives and over Instant Messaging (IM) networks.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Additional Notes

The following precautionary security measures are also recommended to prevent further potential data loss until the machine/network is successfully disinfected:

  • The user should use a known clean machine to change their Skype login password.
  • Temporarily block both inbound and outbound connections for FTP and RDP on the infected machine.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Update (10 October 2012):

A recent run of Dorkbot worm activity has been observed spreading over the Skype messaging network. Like most such worms, this latest outbreak is spread in messages with social engineered messages such as:

  • Is that your pic: [malicious link]

If the malicious link is clicked, a malicious payload (also detected as Win32.Floppier.A) is dropped onto the user's machine. A successful infection results in a backdoor program being installed on the machine, which is capable of performing the following actions:

  • Intercepting and stealing the user's communications or login details (from browsers such as Internet Explorer and Firefox and during chat or FTP transmissions)
  • Performing file transfers
  • Establishing sYN or UDP flood
  • Blocking access to antivirus product update sites
  • Grabbing login credentials from the
  • Spreading itself by infecting USB sticks
  • Spreading itself through MSN
  • Detecting and killing other bot infections present on the machine
  • Reloading the backdoor when the system is rebooted

This latest run has the following additional characteristics:

  • The worm's payload file is dropped at C:\Documents and Settings\Administrator\Application Data\Olwuwi.exe
  • Once dropped, rootkit techniques are used to hide this file from detection by the operating system
  • When executed, the worm file injects code into the explorer.exe and winlogon.exe processes
  • It then attempts to establish communication to remote servers, in particular to retrieve geo-IP data
  • The Dorkbot samples we received also included malicious messages in the binary, including:
    • Message hijacked!
    • This binary is invalid. Main reason: you stupid cracker

Older details for variants in the Dorkbot family are listed below.

Propagation

Dorkbot.A propagates by creating a copy of itself in the %AppData% and RECYCLER directories of any available removable drives. Under default settings, these directories are normally hidden.

The worm next creates shortcut files on the removable drives, pointing to the locations of the worm copies in the hidden directories. If a user unwittingly clicks a worm-created shortcut, the worm copy it points to is executed.

Activity

While active, Dorkbot attempts to steal login information for a number of popular websites, including PayPal, Gmail, Netflix and Facebook.

The worm will also block access to specific domain names that include these strings (all related to antivirus vendors or security services):

  • webroot.
  • fortinet.
  • virusbuster.
  • nprotect.
  • gdatasoftware.
  • virus.
  • precisesecurity.
  • lavasoft.
  • heck.tc.
  • emsisoft.
  • onlinemalwarescanner.
  • onecare.live.
  • f-secure.
  • bullguard.
  • clamav.
  • pandasecurity.
  • sophos.
  • malwarebytes.
  • sunbeltsoftware.
  • norton.
  • norman.
  • mcafee.
  • symantec.
  • comodo.
  • avast.
  • avira.
  • avg.
  • bitdefender.
  • eset.
  • kaspersky.
  • trendmicro.
  • iseclab.
  • virscan.
  • garyshood.
  • viruschief.
  • jotti.
  • threatexpert.
  • novirusthanks.
  • virustotal.