W32/Donk-D

Please follow the instructions for removing worms.

Please read the instructions for removing W32/Donk-D.

W32/Donk-D is a network worm and backdoor Trojan.

W32/Donk-D copies itself to network shares with weak passwords and attempts to spread to computers using the DCOM RPC vulnerability.

This vulnerability allows the worm to execute its code on target computers with System level privileges. For further information on this vulnerability and for details on how to protect/patch the computer, see Microsoft security bulletin MS03-026.

When first run, W32/Donk-D copies itself to the Windows System folder as Cool.exe and Wnetlib.exe and creates the following registry entries so that Wnetlib.exe is run automatically each time Windows is started:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Microsoft System Checkup = wnetlib.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft System Checkup = wnetlib.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
NT Logging Service = syslog32.exe

(W32/Donk-D fails to copy itself as syslog32.exe.)

W32/Donk-D connects to other computers on the local network that have weak passwords and then copies itself to the following startup folders:

\WINNT\Profiles\All Users\Start Menu\Programs\Startup

\WINDOWS\Start Menu\Programs\Startup

\Documents and Settings\All Users\Start Menu\Programs\Startup

W32/Donk-D also includes backdoor Trojan functionality which allows a remote intruder to access and control the computer via IRC channels.

Each time W32/Donk-D is run it tries to connect to a remote IRC server and join a specific channel. W32/Donk-D then runs continuously in the background listening for commands to execute.

The remote intruder will be able to carry out a variety of actions such as: get system information, download files, perform a DDoS flooder attack on another computer and execute programs.