Worm.Win32.Dorkbot_323717ac38
HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.Win32.Servlice!IK (Emsisoft), Worm.Win32.Dorkbot.FD, (Lavasoft MAS)
Behaviour: Trojan, Worm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 323717ac3803f14aa1fdcbea433602d6
SHA1: 09a7bde2efbe04ab3823b9c006cf16bb083e82c3
SHA256: cb26589e469ed4a543d4cb7054d9ed16cc656784037b1348195a437112076547
SSDeep: 6144:eGbNT wFHnbaCKfXe66JRlxMT8pEO8JnDYdw02OrZ/NTKYJq:eGbNywHnbaXfXI9xMT8pEHJnEZrFxKYs
Size: 255568 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID:
Company: MediaFinder
Created at: 2013-07-15 03:03:18
Summary:
Worm. A program that is primarily replicating on networks or removable drives.
Payload
No specific payload has been found.
Process activity
The Worm creates the following process(es):
nircmd.exe:1852
attrib.exe:1244
1.exe:1220
323717ac3803f14aa1fdcbea433602d6.exe:1268
reg.exe:2004
2.exe:1436
2.exe:888
2.exe:1468
The Worm injects its code into the following process(es):
system.exe:1100
File activity
The process 1.exe:1220 makes changes in a file system.
The Worm creates and/or writes to the following file(s):
%WinDir%\syso\critical\libcurl-4.dll (1673 bytes)
%WinDir%\syso\critical\system.exe (1289 bytes)
%WinDir%\syso\critical\pthreadGC2.dll (2017 bytes)
%WinDir%\syso\critical\antivirus.bat (108 bytes)
%WinDir%\syso\critical\sys.bat (337 bytes)
%WinDir%\syso\critical\zlib1.dll (601 bytes)
%WinDir%\syso\critical\libcurl.dll (1345 bytes)
%WinDir%\syso\critical\nircmd.exe (43 bytes)
The Worm deletes the following file(s):
%WinDir%\syso\__tmp_rar_sfx_access_check_1261296 (0 bytes)
The process 2.exe:888 makes changes in a file system.
The Worm creates and/or writes to the following file(s):
%WinDir%\csrss.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
Registry activity
The process nircmd.exe:1852 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 1F D5 52 CA 1F 6B 1A 83 2A 69 04 37 A6 0C 2B"
The process attrib.exe:1244 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 95 31 13 83 23 9B 61 16 35 78 F8 F3 DE 08 8D"
The process 1.exe:1220 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 8E 80 31 29 C2 7B FE C6 94 24 63 15 12 92 51"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Windows\syso\critical]
"sys.bat" = "sys"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The process system.exe:1100 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 79 08 BE EB FF 2E 2C 33 95 19 60 DC 7F BA CE"
The process 323717ac3803f14aa1fdcbea433602d6.exe:1268 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 6E 98 DB A4 C4 A8 91 E6 B5 A3 05 BE 56 7A 61"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process reg.exe:2004 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 86 81 9D D4 40 9B FB 29 14 DB 92 BC A0 75 F7"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "C:\Windows\syso\critical\antivirus.bat"
The process 2.exe:1436 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 A7 57 08 B9 EF 75 31 FF 7C E6 4E 3A 1A EB 36"
The process 2.exe:888 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 89 C7 D3 BE BD BE 57 B3 AD 6A 32 1C 5E 34 6F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Remote Registry Service" = "csrss.exe"
The process 2.exe:1468 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 40 33 14 EF 1A B9 57 71 6B 04 2C 77 7B 6A 29"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://api.wipmania.com/ (ET POLICY External IP Lookup Attempt To Wipmania ) |  69.197.137.58 |
| hxxp://www.v.dropbox.com/s/7xn0a7a5i0f5am8/sym.exe?dl=1 | |
| hxxp://www.v.dropbox.com/s/3nic3qvithu7lya/rep.exe?dl=1 | |
| hxxp://www.whatismyip.com/ |  190.93.249.164 |
| hxxp://checkip.dyndns.com/ (ET POLICY DynDNS CheckIp External IP Address Server Response ) | |
| n.sw-ho.info | 146.82.5.222 |
| checkip.dyndns.org | 216.146.39.70 |
| www.dropbox.com | 199.47.216.170 |
| mine.pool-x.eu | 178.33.111.19 |
| dl.dropboxusercontent.com | 23.21.188.196 |
| vids.p0rn-lover.us | 146.82.5.222 |
Rootkit activity
The Worm installs the following user-mode hooks in WININET.dll:
HttpSendRequestW
InternetWriteFile
HttpSendRequestA
The Worm installs the following user-mode hooks in dnsapi.dll:
DnsQuery_A
DnsQuery_W
The Worm installs the following user-mode hooks in WS2_32.dll:
send
GetAddrInfoW
The Worm installs the following user-mode hooks in kernel32.dll:
MoveFileA
CopyFileW
CopyFileA
MoveFileW
CreateFileW
CreateFileA
The Worm installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtResumeThread
NtQueryDirectoryFile
NtEnumerateValueKey
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
nircmd.exe:1852
attrib.exe:1244
1.exe:1220
323717ac3803f14aa1fdcbea433602d6.exe:1268
reg.exe:2004
2.exe:1436
2.exe:888
2.exe:1468 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%WinDir%\syso\critical\libcurl-4.dll (1673 bytes)
%WinDir%\syso\critical\system.exe (1289 bytes)
%WinDir%\syso\critical\pthreadGC2.dll (2017 bytes)
%WinDir%\syso\critical\antivirus.bat (108 bytes)
%WinDir%\syso\critical\sys.bat (337 bytes)
%WinDir%\syso\critical\zlib1.dll (601 bytes)
%WinDir%\syso\critical\libcurl.dll (1345 bytes)
%WinDir%\syso\critical\nircmd.exe (43 bytes)
%WinDir%\csrss.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "C:\Windows\syso\critical\antivirus.bat"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Remote Registry Service" = "csrss.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
