W32/Donk-E is a network worm and backdoor Trojan.
W32/Donk-E copies itself to network shares with weak passwords and attempts
to spread to computers using the DCOM RPC vulnerability.
This vulnerability allows the worm to execute its code on target computers
with System level priviledges. For further information on this vulnerability
and for details on how to protect/patch the computer, see Microsoft security
bulletin MS03-026.
When first run, W32/Donk-E copies itself to the Windows system folder as
COOL.EXE and NETAPI32.EXE and creates the following registry entries so that
NETAPI32.EXE is run automatically each time Windows is started:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Microsoft System Checkup = NETAPI32.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices\Microsoft System Checkup = NETAPI32.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\NT Logging Service = SYSLOG32.EXE
(W32/Donk-E fails to copy itself as syslog32.exe).
W32/Donk-E connects to other computers on the local network that have weak
passwords and then copies itself to the following startup folders:
\WINNT\Profiles\All Users\Start Menu\Programs\Startup
\WINDOWS\Start Menu\Programs\Startup
\Documents and Settings\All Users\Start Menu\Programs\Startup
W32/Donk-E also includes backdoor Trojan functionality which allows a remote
intruder to access and control the computer via IRC channels.
Each time W32/Donk-E is run it tries to connect to a remote IRC server and
join a specific channel. W32/Donk-E then runs continuously in the background as
a service process listening for commands to execute.
The remote intruder will be able to carry out a variety of actions such as:
get system information, download files, perform a DDoS flooder attack on
another computer and execute programs. One of the files that W32/Donk-E may
download and execute on the victim's computer is W32/Donk-D.