Home / malware Worm:Win32/Dorpiex.B
First posted on 25 October 2013.
Source: MicrosoftAliases :
There are no other names known for Worm:Win32/Dorpiex.B.
Explanation :
Threat behavior
Installation
Worm:Win32/Dorpiex.B tries to contact a remote server to get the list of URLs that it uses in the messages it spreads on Facebook and Skype.
We have seen it try to contact the following servers:
- ap.ao2r9k.com/<removed>.php
- dfg.ao2r9k.com/<removed>.php
- waxortraxe.org/<removed>.php
The worm then searches for Facebook authentication cookies from the following web browsers:
- Chrome
- Firefox
It also tries to gather Facebook authentication cookies for Firefox using SQLite.
It might copy itself as <current folder>\bluetoothheadsetproxy.exe. This name can change and is hardcoded inside the malware binary.
Spreads via...
posts
Worm:Win32/Dorpiex.B uses the cookies it finds to try and send private messages to all your online Facebook friends.
The message includes a link to a malicious website. Both the malicious website URLand the message text can change.
Skype
messenger
The worm monitors whether Skype is installed on your PC and tries to distribute other malware using the web link retrieved from the C&C server.
Other Malware
We have seen this worm being downloaded and installed by Trojan:Win32/Napolar.A.
Payload
Downloads other malware
The URL that the worm uses in the messages it sends can redirect to malicious websites that install other malware on your PC.
A hacker can also tell the worm to uninstall itself from your PC to remove older versions of itself.
Analysis by Rodel Finones
Symptoms
The following could indicate that you have this threat on your PC:
- You or your friends receive message from your Facebook or Skype account that you didn't write
Last update 25 October 2013
