Tentang Virus DorkBot.Bx

Other Common Detection Aliases

Other brands and names may be claimed as the property of others.

Activities	Risk Levels
Attempts to load and execute remote code in explorer process
Attempts to load and execute remote code in a system process.
Attempts to write to a memory location of a protected process.
Attempts to write to a memory location of a Windows system process
Attempts to write to a memory location where winlogon resides
Attempts to load and execute remote code in a previously loaded process
Attempts to write to a memory location of a previously loaded process.
Enumerates many system files and directories.
Enumerates process list
Process attempts to call itself recursively
Attempts to write to a memory location of an unknown process
No digital signature is present

System Changes

Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files

The following files were analyzed:

1dd.tmp

	The following files have been added to the system:
	%APPDATA%\Cdvmvo.exe

	The following files have been changed:
	%WINDIR%\SYSTEM32\catroot2\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\catdb %WINDIR%\SYSTEM32\catroot2\edb.chk %WINDIR%\SYSTEM32\catroot2\edb.log %WINDIR%\SYSTEM32\catroot2\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\catdb

	The following files were temporarily written to disk then later removed:
	%WINDIR%\SYSTEM32\catroot2\tmp.edb

	The following registry elements have been changed:
	HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\CDVMVO = %APPDATA%\Cdvmvo.exe

	The applications attempted the following network connection(s):
	173.246.103.**:4949 (irc) : NICK n{US|XPa}qqonxsj hxxp://api.wipmania.com/

• Submission details:
• Submission received: 30 November 2011, 18:07:02
• Processing time: 14 min 26 sec
• Submitted sample:
• File MD5: 0xE87E6EE3BCB95A9851AE53D46DE583D6
• File SHA-1: 0x8A2239F360D0F3A206D9ABE4550AD44A5343EA1D
• Filesize: 1,903,189 bytes
• Alias:
• Trojan.Gen.2 [Symantec]
• Worm.Win32.Ngrbot.hel [Kaspersky Lab]
• Worm.Win32.Dorkbot [Ikarus]

• Summary of the findings:

What’s been found	Severity Level
Produces outbound traffic.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

• The new window was created, as shown below:

Possible Security Risk

• Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\1.tmp %AppData%\2.tmp %AppData%\Fbxaxf.exe	282,624 bytes	MD5: 0x4419BA71E46C2B6180D8C5FB5F14EFB0 SHA-1: 0x6187916D3C3511B9AE9874A3868B175659D46EC4	(not available)
2	%AppData%\3.exe	327,680 bytes	MD5: 0xACB887FE28C2D1206B8835935506E6B8 SHA-1: 0x9E0E8218B3BCAC5931CE448EE8FEFF1333813F2E	(not available)
3	%AppData%\5.exe	474,829 bytes	MD5: 0x2D04724F3EACF65CB140B8B3F36C5C97 SHA-1: 0xE195798A6F76010673B457B2D8CEADC29E3E22A5	(not available)
4	%AppData%\6.exe	388,535 bytes	MD5: 0x7781C1145869CDF87CF61D671247E80E SHA-1: 0xE2F76F546D3E4FF3E748FB6D4B1B3D2890C3B1DA	(not available)
5	%AppData%\7.exe	398,081 bytes	MD5: 0x37FBCA12ADFF251A3B0BC75EF81CE752 SHA-1: 0x951C62AB205B7CD0C783273170D1DEF56EA25AFE	Trojan.ADH [PCTools] Trojan.Gen.2 [Symantec] not-a-virus:RiskTool.Win32.HideExec.r [Kaspersky Lab] W32/IRCbot.gen.bc [McAfee] Trojan:Win32/Sisproc [Microsoft] Trojan.BAT.Miner [Ikarus]
6	%AppData%\9.tmp %AppData%\Wcxaxw.exe	294,912 bytes	MD5: 0xDAFF13B10AD87D9F578555B641758FA1 SHA-1: 0x377E0C14DCF65A9B027748775BC7ACD3E06BAB67	(not available)
7	%AppData%\A.exe	137,024 bytes	MD5: 0x7DBB979C1CBCFAEBC9792D47E05A841C SHA-1: 0xC73BB9319146F6AD76FFE143685578E51B097587	(not available)
8	%AppData%\kakao3\fuckHDZSDP.exe %Temp%\fuckHDZSDP.exe	278,528 bytes	MD5: 0xAE9C07D9B2EA9C1F58E32D3C44B0F33E SHA-1: 0xE1E72AE01919BC8F0BD236AA00EED4D029C7CCE7	Trojan.Gen [PCTools] Trojan.Gen [Symantec] Trojan.Win32.FakeAv.irgx [Kaspersky Lab] BackDoor-DOQ.gen.as [McAfee] Mal/Generic-L [Sophos] Trojan:Win32/Malagent [Microsoft] Trojan.Win32.Buzus [Ikarus]
9	%AppData%\kakao3\new.exe %Temp%\new.exe	57,344 bytes	MD5: 0xC31027010355FD8F52FE3640048ACD37 SHA-1: 0x5DD50D63D76B8E1CEFBC019CFD414C57FFFEAA72	(not available)
10	%AppData%\PickaVamMaterina2\HDZ.exe	57,344 bytes	MD5: 0x7A8DF56F23106AD0D9D786BAE4ED75BC SHA-1: 0xBD78A2F8FEAA92C5B18BBFFD0EB1399A0644F5BC	(not available)
11	%AppData%\PickaVamMaterina2\Ivo_Sanader.exe	389,120 bytes	MD5: 0x0A4EB0CB242A27AEC20A281F4293FC5E SHA-1: 0x4BA9C00EAC0317346A0AAC3AE8AFB7D4057863EA	(not available)
12	%AppData%\jqycpqe.exe %Temp%\zxjidmw.exe	344,576 bytes	MD5: 0x6D6BD4C8256D75B314BDD644C1240917 SHA-1: 0x1ACCD82D27F6511375F5635BDAAC8B3BAFF0E624	Trojan.FakeAV [PCTools] Trojan.FakeAV!gen64 [Symantec] Trojan.Win32.FakeAV.dvjc [Kaspersky Lab] FakeAlert-SecurityTool.bt [McAfee] Mal/FakeAV-KL [Sophos] Trojan.Win32.FakeAV [Ikarus]
13	%Temp%\about.exe	57,344 bytes	MD5: 0xC52F6C51034FD72CB65483DAB4E51438 SHA-1: 0xB0039E980891438B76419E0CEF9040FA1C413E93	(not available)
14	%Temp%\del.exe	159,232 bytes	MD5: 0x99D3FD2985012D43C3D532CF1F70B342 SHA-1: 0xD0018933F627CD668DFEBC1B3AAD8D4C25D2D82B	Malware.W95-CIH [PCTools] W95.CIH.damaged [Symantec] Generic.dx!xon [McAfee] Mal/Generic-L [Sophos] Trojan:Win32/Dynamer!dtc [Microsoft] Virus.Win9x.CIH [Ikarus]
15	%Temp%\hid.exe	44,040 bytes	MD5: 0xC1C769D742F88E441DED76BF57A5A45C SHA-1: 0x06872DABD41E70DC4EF8FD5131B334BE8A17DB3C	Net-Worm.SillyFDC [PCTools] not-a-virus:RiskTool.Win32.HideExec.r [Kaspersky Lab]
16	%Temp%\HRSearchC.exe	287,744 bytes	MD5: 0x5E03A535C8BEF1AB056074D68CE7A5E0 SHA-1: 0x689974AE94DF135E21F5711C06B5DC72DA3F9128	Trojan.Gen [PCTools] Trojan.Gen.2 [Symantec] Generic.dx!banc [McAfee] Trojan.ATRAPS [Ikarus] packed with PE_Patch.PECompact [Kaspersky Lab]
17	%Temp%\Jttetn.exe	139,264 bytes	MD5: 0x585F2F27EF6D87CD4CC9A8501EAAA6FE SHA-1: 0x0AB77FD8C68025F4E579C4C58C05874108F20F5A	Trojan.Gen [PCTools] Trojan.Gen [Symantec] Backdoor.Win32.Ruskill.g [Kaspersky Lab] Downloader-CMU.d [McAfee] Mal/Generic-L [Sophos] Worm:Win32/Dorkbot.A [Microsoft] Worm.Win32.Dorkbot [Ikarus]
18	%Temp%\Mstetq.exe	143,360 bytes	MD5: 0x167F4EF7C1225451EF69DB10D3B16611 SHA-1: 0xE5D356E142ED28AB5A0748CD04BB792C9514192A	Worm.Win32.Ngrbot.hdy [Kaspersky Lab] BackDoor-DOQ.gen.as [McAfee] Mal/EncPk-AAQ [Sophos] Worm:Win32/Dorkbot.A [Microsoft] Worm.Win32.Dorkbot [Ikarus]
19	%Temp%\newmoon17.exe	367,889 bytes	MD5: 0x1CE65C3C14F7F09C08C50FBB6A8C1CC4 SHA-1: 0x46E4FD565736FF96A94F5B762C1F875C32585A1B	Trojan.Win32.FakeAv.irgx [Kaspersky Lab] Generic FakeAlert!tz [McAfee] Mal/Generic-L [Sophos] Trojan.Win32.Buzus [Ikarus]
20	%Temp%\x30811.exe	1,012,224 bytes	MD5: 0x4BC19BC59EC9C4A987079A618CF18C68 SHA-1: 0xC4EC15672E96CEC3411CCE377BFFEAB55BA8C88D	Trojan.Gen [PCTools] Trojan.Gen.2 [Symantec] Generic.tfr!r [McAfee] Trojan:Win32/Orsam!rts [Microsoft] Win32.SuspectCrc [Ikarus]
21	%Temp%\yz.bat	180 bytes	MD5: 0xD6C231471750C153641E292D746814B5 SHA-1: 0x16EC0A913564D18A6D03711415B272FDECC3E867	Trojan.BAT.Miner.i [Kaspersky Lab] Trojan.BAT.Miner [Ikarus]
22	%Programs%\Startup\Demokratska2.exe	418,008 bytes	MD5: 0xCF4C9FA0F9B2AB5CA96C7C2AF8B26C75 SHA-1: 0x6B9F44527B91AD9DAC7AD1D396787496DBE37BEE	(not available)
23	%Programs%\Startup\dxdiag.exe	23,552 bytes	MD5: 0x9EA5BEFAB3FAB1D19D70F8D917463D13 SHA-1: 0xBCABE617AF58EFB8B0E759111044BDBB8F3F6152	Trojan.Gen [PCTools] Trojan.Gen [Symantec] Trojan.Win32.Jorik.Aspxor.y [Kaspersky Lab] Generic Downloader.z [McAfee] Troj/Bredo-IK [Sophos] Trojan.Agent_r [Ikarus]
24	%Programs%\Startup\stepx2.exe	348,530 bytes	MD5: 0x0764BEF5D967DCE3784E18D204BB90E6 SHA-1: 0x896A45B21C554B723503BC5865677733C025FC23	Trojan.ADH [PCTools] Trojan.Gen.2 [Symantec] Trojan.BAT.Miner.i, not-a-virus:RiskTool.Win32.HideExec.r [Kaspersky Lab] Generic.tfr!r [McAfee] Trojan.BAT.Miner [Ikarus]
25	%Programs%\Startup\taskmgr.exe	826,184 bytes	MD5: 0x47CFDF331A80B2028A1B8ACA61BD191B SHA-1: 0xD10BD40A735C6EFBFA4FBFA6C842B4DB5DBA9445	(not available)
26	[file and pathname of the sample #1]	1,903,189 bytes	MD5: 0xE87E6EE3BCB95A9851AE53D46DE583D6 SHA-1: 0x8A2239F360D0F3A206D9ABE4550AD44A5343EA1D	Trojan.Gen.2 [Symantec] Backdoor.Win32.Ruskill.g, Worm.Win32.Ngrbot.hdy, Trojan.Win32.Jorik.Aspxor.y, Trojan.Win32.FakeAv.irgx, Trojan.Win32.FakeAV.dvjc, Worm.Win32.Ngrbot.hel [Kaspersky Lab] Worm.Win32.Dorkbot [Ikarus]

• Notes:
• %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %Programs% is a variable that refers to the file system directory that contains the user’s program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.

• The following directories were created:
• %AppData%\kakao3
• %AppData%\PickaVamMaterina2

Memory Modifications

• There was a new process created in the system:

Process Name	Process Filename	Main Module Size
del.exe	%Temp%\del.exe	184,320 bytes

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SOFTWARE\HRSearch
• HKEY_LOCAL_MACHINE\SOFTWARE\HRSearch\Data
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_CURRENT_USER\Software\gnzyyfavskozwffiqimedkeykicvah
• HKEY_CURRENT_USER\Software\jnbsjxsrphezdokcyofecvybrkjlrh
• HKEY_CURRENT_USER\Software\WinRAR SFX

• The newly created Registry Values are:
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• Scxaxs = “%AppData%\Scxaxs.exe”
• Lcxaxl = “%AppData%\Lcxaxl.exe”
• Wcxaxw = “%AppData%\Wcxaxw.exe”
• Fbxaxf = “%AppData%\Fbxaxf.exe”

so that Wcxaxw.exe runs every time Windows starts
so that Fbxaxf.exe runs every time Windows starts

• [HKEY_CURRENT_USER\Software\gnzyyfavskozwffiqimedkeykicvah]
• wfdijwaopfddvmieihccsyrbpsbqhy = “”
• [HKEY_CURRENT_USER\Software\jnbsjxsrphezdokcyofecvybrkjlrh]
• dncirhudbpmysvlqkzovzmfcsemsko = “”
• [HKEY_CURRENT_USER\Software\WinRAR SFX]
• C%%Documents and Settings%%UserName%%Application Data%kakao3 = “%AppData%\kakao3”
• C%%Documents and Settings%%UserName%%Start Menu%Programs%Startup = “%Programs%\Startup”
• C%%Documents and Settings%%UserName%%Application Data%PickaVamMaterina2 = “%AppData%\PickaVamMaterina2”
• C%%DOCUME~1%%UserName%%LOCALS~1%Temp = “%UserProfile%\LOCALS~1\Temp”

Other details

• There were registered attempts to establish connection with the remote hosts. The connection details are:

• The data identified by the following URLs was then requested from the remote web server:
• http://api.wipmania.com/
• http://img105.herosh.com/2011/11/30/745759013.gif

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 3212:

00000000 | 1703 0000 1DAB E65A 5272 636E 2145 D536 | …….ZRrcn!E.6
00000010 | DE93 29D5 30B1 C61D 332C 9A67 949A BC7A | ..).0…3,.g…z
00000020 | 9E5B 1703 0000 274F ADFB BF5C 4E3A FB4E | .[….’O…\N:.N
00000030 | D8CC C0CA 0050 D50D 9575 5A23 C707 EC0B | …..P…uZ#….
00000040 | 7581 0719 F6AE 5AD5 F944 AE93 A1AA 1703 | u…..Z..D……
00000050 | 0000 2BD7 208A C1F7 256B F9F6 9CDE A553 | ..+. …%k…..S
00000060 | 9E96 B39D A07E 1DAD B1C6 97A4 3724 EC7E | …..~……7$.~
00000070 | 3C85 F623 B80B 6153 9522 16E0 3A10 1703 | <..#..aS."..:... 00000080 | 0000 2B17 0300 0021 DA71 8326 C5E8 AA2A | ..+....!.q.&...* 00000090 | 9569 1FB6 841A 28FF 3CFD E0B3 CAED 2701 | .i....(.<.....'. 000000A0 | 1E3B 92FF EAA9 C7EA F58C F1E4 D1DA 5265 | .;............Re 000000B0 | 3174 9F17 0300 002B B706 D784 55DF CA99 | 1t.....+....U... 000000C0 | F14D 26E9 7B04 A824 A720 6035 1958 3851 | .M&.{..$. `5.X8Q 000000D0 | 62B7 EF3D D371 4100 05A9 261E 9405 6B9A | b..=.qA...&...k. 000000E0 | 391E C3A9 1497 5C92 EE8B FF97 4DC9 F64B | 9.....\.....M..K 000000F0 | 0686 843D 1503 0000 12C0 9AF5 9FE9 9F49 | ...=...........I 00000100 | D9E3 B6AD 3696 8DE8 80F7 AA16 0300 0041 | ....6..........A 00000110 | 0100 003D 0300 4ED6 E189 B267 390E FDB0 | ...=..N....g9... 00000120 | F1DE 8842 4A95 84E3 FB81 300E 64F0 39B7 | ...BJ.....0.d.9. 00000130 | A36E 5D63 987C 0000 1600 0400 0500 0A00 | .n]c.|.......... 00000140 | 0900 6400 6200 0300 0600 1300 1200 6301 | ..d.b.........c. 00000150 | 0015 0300 0002 0129 1603 0000 8410 0000 | .......)........ 00000160 | 807F CF33 A19D 39EE 435D ED5D 92EF 7B8E | ...3..9.C].]..{. 00000170 | 5BCF AB87 2357 E0F2 1505 1282 6EE9 A547 | [...#W......n..G 00000180 | 4E1F 9858 939A 5769 3956 3625 8F42 893B | N..X..Wi9V6%.B.; 00000190 | 1E8B 4CF4 FD81 33EA B29E F34C 60CE 341B | ..L...3....L`.4. 000001A0 | 1C77 896E 6C8B E959 F873 F09A 1E96 DB05 | .w.nl..Y.s...... 000001B0 | 9A35 3ABB 0986 976E 5283 1942 1B35 58DC | .5:....nR..B.5X. 000001C0 | 1452 FBA5 76CA FEED 54E9 CD6D 3C4D FA84 | .R..v...T..m