W32/Dolebot-A

Please follow the instructions for removing worms.

W32/Dolebot-A is an email and network worm with IRC backdoor functionality for the Windows platform.

W32/Dolebot-A spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007).

W32/Dolebot-A runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Dolebot-A includes functionality to access the internet and communicate with a remote server via HTTP.

Emails sent by W32/Dolebot-A sends emails in the following format, with details
filled in to make the email look more authentic:

Subject:

"Your Account is Suspended"

"*DETECTED* Online User Violation"

"Your Account is Suspended For Security Reasons"

"Warning Message: Your services near to be closed"

"Important notification"

"Members support"

"Security measures"

"Email Account Suspension"

"Notice of account limitation"

Message:

"Dear <name> Member,

You have successfully updated the password of your <name> acccount.

If you did not authorize this change or if you need assistance with your
account, please contact <name> customer service at:

Thank you for using <name>!

The <name> Support Team

+++ Attachment: No Virus (Clean)

+++ %s Antivirus - www.<name>"

"Dear user <name>,

It has come to our attention that your <name> User Profile ( x ) records are
out of date. For further details see the attached document.

Thank you for using <name>.

The <name> Support Team

+++ Attachment: No Virus (Clean)

+++ %s Antivirus - www.<name>"

"Dear <name> Member,

We have temporarily suspended your email account <name>.

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of address).

2. Submiting invalid information during the initial sign up process.

3. An innability to accurately verify your selected option of subscription due
to an internal error within our processors.

See the details to reactivate your <name> account.

Sincerely,The <name> Support Team

+++ Attachment: No Virus (Clean)

+++ %s Antivirus - www.<name>"

"Dear <name> Member,

Your e-mail account was used to send a huge amount of unsolicited spam messages
during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.

If you choose to ignore our request, you leave us no choice but to cancel your
membership.

Virtually yours,

The <name> Support Team

+++ Attachment: No Virus (Clean)

+++ %s Antivirus - www.<name>"

Attachment name:

Important-details

Account-details

Email-details

Account-info

Document

Readme

Account-report

The attachments have a file extension of .doc, followed by many spaces, then one of the following so that the file will be executed when opened:

Bat

Cmd

Exe

Pif

W32/Dolebot-A harvests email addresses from files on the infected computer and from the Windows address book as well as the Microsoft Internet Account Manager. W32/Dolebot-A is an email and network worm with IRC backdoor functionality for the Windows platform.

W32/Dolebot-A spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007).

W32/Dolebot-A runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Dolebot-A includes functionality to access the internet and communicate with a remote server via HTTP.

Emails sent by W32/Dolebot-A sends emails in the following format, with details
filled in to make the email look more authentic:

Subject:

"Your Account is Suspended"

"*DETECTED* Online User Violation"

"Your Account is Suspended For Security Reasons"

"Warning Message: Your services near to be closed"

"Important notification"

"Members support"

"Security measures"

"Email Account Suspension"

"Notice of account limitation"

Message:

"Dear <name> Member,

You have successfully updated the password of your <name> acccount.

If you did not authorize this change or if you need assistance with your
account, please contact <name> customer service at:

Thank you for using <name>!

The <name> Support Team

+++ Attachment: No Virus (Clean)

+++ %s Antivirus - www.<name>"

"Dear user <name>,

It has come to our attention that your <name> User Profile ( x ) records are
out of date. For further details see the attached document.

Thank you for using <name>.

The <name> Support Team

+++ Attachment: No Virus (Clean)

+++ %s Antivirus - www.<name>"

"Dear <name> Member,

We have temporarily suspended your email account <name>.

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of address).

2. Submiting invalid information during the initial sign up process.

3. An innability to accurately verify your selected option of subscription due
to an internal error within our processors.

See the details to reactivate your <name> account.

Sincerely,The <name> Support Team

+++ Attachment: No Virus (Clean)

+++ %s Antivirus - www.<name>"

"Dear <name> Member,

Your e-mail account was used to send a huge amount of unsolicited spam messages
during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.

If you choose to ignore our request, you leave us no choice but to cancel your
membership.

Virtually yours,

The <name> Support Team

+++ Attachment: No Virus (Clean)

+++ %s Antivirus - www.<name>"

Attachment name:

Important-details

Account-details

Email-details

Account-info

Document

Readme

Account-report

The attachments have a file extension of .doc, followed by many spaces, then one of the following so that the file will be executed when opened:

Bat

Cmd

Exe

Pif

W32/Dolebot-A harvests email addresses from files on the infected computer and from the Windows address book as well as the Microsoft Internet Account Manager.

When first run W32/Dolebot-A copies itself to <Windows>\skype32.exe and creates the file <System>\rofl.sys.

The file rofl.sys is detected as Troj/RKPort-A.

The file skype32.exe is registered as a new system driver service named "Skype", with a display name of "Skype Messenger" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Skype\

The file rofl.sys is registered as a new system driver service named "rofl", with a display name of "rofl". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\rofl\

W32/Dolebot-A sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardP