W32/Dorkbot-EE

Category: Viruses and Spyware Protection available since:30 Jan 2013 08:10:29 (GMT)
Type: Win32 worm Last Updated:30 Jan 2013 08:10:29 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Dorkbot-EE exhibits the following characteristics:

File Information

Size
164K
SHA-1
431ba86dbc19606ad7b5729368aff98dad21aed6
MD5
5eff80e9e773336eb22b9c1ba28a4dd5
CRC-32
663fbc84
File type
Windows executable
First seen
2013-01-29

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Yfmod\seivf.exe
    Size
    164K
    SHA-1
    ab420e469994231d4b27c64b39498b95097ce7b5
    MD5
    bf8773e391337ebdbf6b54e58ab552ee
    CRC-32
    1a3048ed
    File type
    Windows executable
    First seen
    2013-01-29
  • c:\Documents and Settings\test user\Application Data\Ciit\uxfu.agy
    Size
    477
    SHA-1
    8bfeae71f51928e48db6c7719d0093a37d9c2c46
    MD5
    ca15aadcd00c179e02eeb346e7d2ab2b
    CRC-32
    df5cf886
    File type
    Unspecified binary - probably data
    First seen
    2013-01-29
  • c:\Documents and Settings\test user\Application Data\Ciit\uxfu.tmp
    Size
    563
    SHA-1
    8c00e6e123457440115b6839c9918fc518d9ba46
    MD5
    84c24c94312ab7cfd9c754a8911198e2
    CRC-32
    37d842b2
    File type
    Unspecified binary - probably data
    First seen
    2013-01-29
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Naxu
    Ehxu
    □□□@%□□y□Pz□□□□□p□ □□□□□□□□0□□□J□0m□□r□0□□□□□ □□□h□□6□□□□□□□□□□`@□p□□p□□□□□P□□□□□p□□0□□□□□□□□□□□P□□□8□□J□□□□□\□P□□□U□□□□ □□ □□ h□`□□0□□□□□ □□□□□□□□P□□□□□□□□p&□Pz□□□□@□□□]□@|□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {A01CA728-1BE4-DDFE-913F-A1D353901F89}
    "c:\Documents and Settings\test user\Application Data\Yfmod\seivf.exe"
  • HKCU\Identities
    Identity Login
    0x00098053
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    2a a1 34 61 3f fe cd 01
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\yfmod\seivf.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://www.carnesviba.com/ja/images/te.bin
  • http://www.google.bg/webhp
  • http://www.google.com/webhp
IP Connections
  • 168.144.170.216:80
DNS Requests
  • www.carnesviba.com
  • www.google.bg
  • www.google.com

download Try Sophos products for free
Download now