SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  Dorkbot.B_67
Dorkbot.B_67 is a Worm. Worms are reproducing malicious programs that run independently and travel across network connections without human action. They could spread over email, IM, peer-to-peer networks, or directly over the wire by leveraging vulnerabilities. The threat that a worm poses is its capability to replicate itself on the system so the computer can send out hundreds or thousands of copies of itself.

File Related Changes
It drops the following file(s) on the system:
  • "c:\Users\Admin\AppData\Roaming\Vldsdn.exe"

It modifies the following additional file(s) on the system:
  • "c:\Windows\System32\inetsrv\History\MetaBase_0000000024_0000000000.xml"
  • "c:\Windows\System32\inetsrv\MetaBase.xml.tmp"
  • "c:\Windows\System32\inetsrv\History\MBSchema_0000000024_0000000000.xml"

Process Related Changes
It creates the following mutex(es):
  • "e621ca05-Mutex"
  • "IESQMMUTEX_0_208"
  • "FvLQ49IlzIyLjj6m"

It injects malicious code into the following process(es):
  • "C:\Windows\system32\UI0Detect.exe"
  • "C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe"
  • "C:\Windows\system32\csrss.exe"
  • "C:\Windows\system32\psxss.exe"
  • "C:\Windows\System32\tcpsvcs.exe"
  • "c:\windows\system32\tlntsrv.exe"
  • "C:\Windows\system32\wininit.exe"
  • "C:\Windows\System32\spoolsv.exe"
  • "C:\Windows\System32\mobsync.exe"
  • "C:\Windows\system32\taskhost.exe"
  • "C:\Windows\system32\nfsclnt.exe"
  • "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
  • "C:\Windows\system32\Dwm.exe"
  • "C:\Windows\system32\SearchIndexer.exe"
  • "C:\Windows\system32\inetsrv\inetinfo.exe"
  • "C:\Windows\system32\lsm.exe"

Network Activity
It attempts to connect to the following remote servers:
  • api.wipmania.com:80 (69.197.xxxxxx)
  • tr.byinter.net:6667 (67.208xxxxxx)
  • 1.byinter.net:6667 (67.208xxxxxx)

We observed the following DNS query/queries:
  • api.wipmania.com
  • 1.byinter.net
  • tr.byinter.net

Registry Related Changes
It makes the following registry modifications to ensure infection after system reboot:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\vldsdn = C:\Users\Admin\AppData\Roaming\Vldsdn.exe


Relevant Information