W32/Dorkbot-DC

Category: Viruses and Spyware Protection available since:12 Oct 2012 01:53:04 (GMT)
Type: Win32 worm Last Updated:12 Oct 2012 01:53:04 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of W32/Dorkbot-DC include:

Example 1

File Information

Size
604K
SHA-1
6724505baa09e26d77db031936ed6bd62baf5648
MD5
06934ed732b0834b75be9c22c6864f92
CRC-32
329155a5
File type
Windows executable
First seen
2012-10-11

Runtime Analysis

Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {D589C9C7-DDDC-6D6A-5B45-9AC8F8BCC2A8}
    "c:\Documents and Settings\test user\Application Data\Qyzyo\aduld.exe"
  • HKCU\Software\Microsoft\Evvoa
    Uprowa
    C□□□H□p□□0H□□\□□□□□□□p□□`D□□;□□□□0□□ □□□□□@□□□□□□□□ □□□□□□{□PW□P□□□□□@F□P□□`□□ □□□\□□□□□□□P□□□□□0□□0□□□□□@□□P□□□x□@$□□□□□□□□□□0~□□□□□q□@□□@□□0G□ □□□□□□□□□□□□□□□□□0□□□□□□□□□□□
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000007
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    06 55 a8 0b 06 a8 cd 01
Processes Created
  • c:\Documents and Settings\test user\local settings\application data\xenocode\sandbox\1.0.0.0\2012.10.11t17.20\native\stubexe\@appdatalocal@\xenocode\sandbox\1.0.0.0\2012.10.11t17.19\native\stubexe\@appdata@\qyzyo\aduld.exe
HTTP Requests
  • http://programming-rfc.ir/frank/config.bin
  • http://www.google.bg/webhp
  • http://www.google.com/webhp
DNS Requests
  • programming-rfc.ir
  • www.google.bg
  • www.google.com

Example 2

File Information

Size
989K
SHA-1
b6dfc6b47861d3f51f6d5c59db049267c78b55c3
MD5
5d7d335ad23e3258049a96cb87c69ce0
CRC-32
e43bf2f0
File type
Windows executable
First seen
2012-10-11

Other vendor detection

Kaspersky
Trojan-Spy.Win32.Zbot.bopd

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.11T17.20\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX@1.0.0.0.manifest
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.11T17.19\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX.manifest
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.11T17.19\Virtual\SXS\Manifests\VmX.dll_0x8C9DF666D50A4D841E2DCEE9556484BF.2.manifest
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.11T17.20\Virtual\XRegistry.tmp
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.11T17.19\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX@1.0.0.0.manifest
  • c:\Documents and Settings\test user\Application Data\Pixu\ilhau.xyr
    Size
    477
    SHA-1
    2fe1ce353948afe1971782b8606c34581207ca58
    MD5
    36de75dec33dbbb62b7ec9f14188cdc7
    CRC-32
    a4c406c7
    File type
    Unspecified binary - probably data
    First seen
    2012-10-11
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.11T17.19\Virtual\XRegistry.tmp
  • c:\Documents and Settings\test user\Application Data\Byuv\yzeci.exe
    Size
    138K
    SHA-1
    6006cd5d6822267a4ff6de1120b17f565af6dbd8
    MD5
    78e7f4a52099c0064ee06e991b22e319
    CRC-32
    c7cfe77a
    File type
    Windows executable
    First seen
    2012-10-11
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.11T17.20\Virtual\SXS\Manifests\VmX.dll_0x8C9DF666D50A4D841E2DCEE9556484BF.2.manifest
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.11T17.19\Native\STUBEXE\@APPDATA@\Byuv\yzeci.exe
    Size
    17K
    SHA-1
    a7f20018e4a73e8e52fc58661001ac28067c1c9c
    MD5
    bf7bfe0fa6a394d4735c610936765b0a
    CRC-32
    a5d2db18
    File type
    Windows executable
    First seen
    2012-10-11
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.11T17.20\Native\STUBEXE\@APPDATALOCAL@\Xenocode\Sandbox\1.0.0.0\2012.10.11T17.19\Native\STUBEXE\@SYSTEM@\cmd.exe
    Size
    17K
    SHA-1
    afabe3919dd96fcdfd2a28ce5ff2daa3e69eaf24
    MD5
    ed9686fda98ca8f26ed84c22552b7fd5
    CRC-32
    484270dd
    File type
    Windows executable
    First seen
    2012-10-11
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.11T17.20\Native\STUBEXE\@APPDATALOCAL@\Xenocode\Sandbox\1.0.0.0\2012.10.11T17.19\Native\STUBEXE\@APPDATA@\Byuv\yzeci.exe
    Size
    17K
    SHA-1
    315e0706ad15f4f1c744d3b95f8599b88f41e5c0
    MD5
    5d905af0ca63a7b572b4d7492ee07005
    CRC-32
    d59e4a65
    File type
    Windows executable
    First seen
    2012-10-11
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.11T17.20\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX.manifest
  • c:\Documents and Settings\test user\Local Settings\Temp\sampleorder1.exe
    Size
    604K
    SHA-1
    6724505baa09e26d77db031936ed6bd62baf5648
    MD5
    06934ed732b0834b75be9c22c6864f92
    CRC-32
    329155a5
    File type
    Windows executable
    First seen
    2012-10-11
  • c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.10.11T17.19\Native\STUBEXE\@SYSTEM@\cmd.exe
    Size
    17K
    SHA-1
    400ee277205b90f8ccdd2eaf8418af7de9892c07
    MD5
    7a856cd4df85a1ef4e20424f759f1784
    CRC-32
    380ee1a0
    File type
    Windows executable
    First seen
    2012-10-11
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Iwydza
    Imexysxu
    c□□□□□□□□@□@□□p□□□>□ b□`□□ :□□ □0□□□□□□□□@1□□□□p□□□□□□e□□□□P□□0□□□A□`□□□□□ □□□C□□□□□□□ □□□□□`I□□□□0□□ □□□□□□=□0□□□H□ □□`□□`□□□□□□=□□□□□+□□;□`$□□□□□>□□C□□□□□□□□U□□i□`□□□□□@t□□□□ "□P4□□3□`e□□□□□y□□v□□|□□u□□□□□L□□□□□□□`□□p1□P□□□□□□;□pc□ □□p□□□□□□□□0□□P□□□p□□G□@□□□□□□□□0□□ □□□}□□□□`□□p^□□□□□□□□,□□□□□□□`:□□<□□□□□\□p~□PU□`□□□w□□z□□(□P□□□[□□□□@□□□□□□□□p□□□□□□□□`Q□□Q□□□□@q□0□□□G□□□□□□□□□□□□□□J□p□□□#□□□□□□□□□□□□□ □□□□□□□□□□□□□□□:□p□□P]□□□□p3□□z□□□□□□□p□□□□□□□□□□□□5□□□□PB□□□□□□□□4□□□□ps□`~□P□□P[□p□□□□□□□□@□□□□□□□□ ,□□□□□□□□□□□□□0□□□□□□L□p□□□□□□{□□□□□□□□□□□□□`'□□□□□y□ *□@□pb□□□□□W□□□□□)□@□□□□□@□□ u□□l□`□□□~□□s□0□□@□□0M□□□□□□□@ □ V□□□□□□□□_□□Y□p□□□□□ □□@□□@□□□@□□□□@T□□f□P□□□T□□7□□□□□r□`P□□□□p□□□□□□=□□3□ □□□□□□□□pJ□`□□□!□□e□□□□□□□□□□p2□@□□`-□ □□□□□□□□ k□□#□@□□□□□□2□□□□ [... 6640 intervening characters ...] U□□E□ □□□Y□□□□p□□□□□□□□□)□□H□□□□`P□p□□□□□□:□□□□□□□□K□□□□ T□□□□@&□p□□Py□□p□□□□□A□□□□□=□ S□□c□□`□@-□0□□□□□□]□□□□ □□□□□@□□□□□`□□□□□0□□P□□□□□□□□□0□p□□□d□□e□@B□□9□□□□□□□□7□□□□□□□□[□□□□0□□pc□□□□□□□□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {D589C9C7-DDDC-6D6A-5B45-9AC8F8BCC2A8}
    "c:\Documents and Settings\test user\Application Data\Byuv\yzeci.exe"
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000007
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    6e fb 3a 72 03 a8 cd 01
Processes Created
  • c:\Documents and Settings\test user\local settings\application data\xenocode\sandbox\1.0.0.0\2012.10.11t17.20\native\stubexe\@appdatalocal@\xenocode\sandbox\1.0.0.0\2012.10.11t17.19\native\stubexe\@appdata@\byuv\yzeci.exe
  • c:\Documents and Settings\test user\local settings\application data\xenocode\sandbox\1.0.0.0\2012.10.11t17.20\native\stubexe\@appdatalocal@\xenocode\sandbox\1.0.0.0\2012.10.11t17.19\native\stubexe\@system@\cmd.exe
  • c:\docume~1\support\locals~1\temp\sampleorder1.exe
HTTP Requests
  • http://programming-rfc.ir/frank/config.bin
  • http://www.google.bg/webhp
  • http://www.google.com/webhp
DNS Requests
  • programming-rfc.ir
  • www.google.bg
  • www.google.com

download Try Sophos products for free
Download now

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information