Analysis by: Marfel Tiamzon

ALIASES:

Microsoft: Worm:Win32/Dorkbot.gen!A

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This worm arrives by connecting affected removable drives to a system. It arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops copies of itself into all the removable drives connected to an affected system.

It deletes the initially executed copy of itself.

  TECHNICAL DETAILS

File Size: 208,896 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 07 Oct 2011

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

  • %User Profile%\Application Data\{random filename}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random file name} = %User Profile%\Application Data\{random filename}.exe

Propagation

This worm creates the following folders in all removable drives:

  • {drive}:\RECYCLER

It drops copies of itself into all the removable drives connected to an affected system.

It drops the following copy(ies) of itself in all removable drives:

  • {drive}:\RECYCLER\0xFFD12566.exe

Other Details

This worm connects to the following possibly malicious URL:

  • http://{BLOCKED}a.{BLOCKED}gg.se/skalman02/4e28ae2064f07_av.txt

It deletes the initially executed copy of itself