DorkBot

Description

Win32/Dorkbot is a family of IRC-based worms that spreads via removable drives, instant messaging programs, and social networks. Variants of Win32/Dorkbot may capture user names and passwords by monitoring network communication, and may block websites that are related to security updates. It may also launch a limited denial of service (DoS) attack.

Symptoms

You may see the following files (among others) on the infected machine: facebook-profile-pic-(random string)-JPEG.exe facebook-pic00(random string).exe

Analysis

Dorkbot is commonly spread through instant messaging or social networks. A link will be sent which points to a copy of the bot that when downloaded and run will infect the victim's computer. Once installed, Dorkbot may attempt to install itself on removable USB drives in order to spread to other computers that have autorun enabled. Dorkbot can connect to an IRC server where it will join a control channel in order to wait for commands from the attacker. Some of the commands it can accept can:

• Download and run executables
• Delete the downloaded file as well as run the file on next reboot
• Update itself
• Uninstall itself
• Capture login and password information
• Block Web sites
• Redirect requests to Web sites
• Report statistics to its controller
• Launch or stop Denial of Service (DoS) attacks

Dorkbot also injects itself into explorer.exe and may inject other running processes.

Instructions

Manual removal of Dorkbot is not advised. It is recommended that you run a complete scan of your computer using FortiClient Endpoint Protection in order to remove this malware.