WORM_DORKBOT.N

 Analysis by: Erika Bianca Mendoza

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW


This worm arrives via removable drives. It may be unknowingly downloaded by a user while visiting malicious websites.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats.

  TECHNICAL DETAILS

File Size:

86,016 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

06 Jul 2011

Arrival Details

This worm arrives via removable drives.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following files:

  • {removable drive}\recycler.lnk

It drops the following copies of itself into the affected system:

  • {removable drive}\RECYCLER\{random}.exe

It creates the following folders:

  • {removable drive}\RECYCLER

Download Routine

This worm connects to the following malicious URLs:

  • ng.{BLOCKED}loan.com
  • ng.{BLOCKED}ketbaby.com
  • ng.{BLOCKED}allone.com
  • ng.{BLOCKED}pperz11.com
  • {BLOCKED}ousez11.com

Other Details

This worm connects to the following URL(s) to get the affected system's IP address:

  • http://{BLOCKED}i.{BLOCKED}nia.com

Related Malware