Home / malwarePDF  

Worm:Win32/Dorpiex.A


First posted on 17 May 2013.
Source: Microsoft

Aliases :

Worm:Win32/Dorpiex.A is also known as Win32/Injector.AGMQ (ESET), BackDoor.IRC.ngrBot.42 (Dr.Web), Trojan.Spachanel (Symantec), Trojan.Win32.Kryptik.m (Rising AV), winpe/DelfInject.XO (Norman), Worm/Dorpiex.A.10 (Avira), TR/Drop.Injector.ighd (Avira), Trojan-Dropper.Win32.Injector.ighd (Kaspersky), Win32.HLLW.Phorpiex.90 (Dr.Web).

Explanation :



Installation

When run, Worm:Win32/Dorpiex.A tries to contact a remote server, from which it obtains the list of web links that it uses in the messages it spreads on Facebook.

We have seen it try to contact the following servers:

  • 94.102.63.54/<removed>.png
  • waxortraxe.org/<removed>.jpg


The worm then tries to get Facebook authentication cookies from the following web browsers by searching your saved cookies (a cookie is a file on your computer that Internet browsers use to store information about the websites you visit):

  • Chrome
  • Firefox
  • Internet Explorer
  • Opera


The worm also tries to get Facebook authentication cookies from following processes if they are running:

  • chrome.exe
  • facebookmessenger.exe
  • firefox.exe
  • iexplore.exe
  • opera.exe
  • webkit2webprocess.exe
Spreads via...

Facebook posts

With the retrieved authentication cookies, Worm:Win32/Dorpiex.A tries to send messages to all your online Facebook friends with the web link that it retrieved from the remote server. The message suggests the recipient may be interested in following the link, which pretends to be a picture or photo. The worm choose the language to send the message in depending on the language settings of your computer, as in the following examples:

  • In Czech: "podivejte se na mou fotku"
  • In Danish: "ser pa dette billede"
  • In Dutch: "ken je dat foto nog?"
  • In English: "i cant believe i still have this picture"
  • In Finnish: "katso tata kuvaa"
  • In French: "c'est la photo la plus marrante!"
  • In German: "kennst du das foto schon?"
  • In Italian: "la foto e grandiosa!"
  • In Norwegian: "se pa dette bildet"
  • In Spanish: "mira como saliste en esta foto"
  • In Swedish: "titta pa denna bild"


Payload

Downloads other malware onto your computer

The web link that the worm uses in the messages it posts on Facebook may redirect to additional malware. For example, we have seen the worm redirect from mediafire.com/<removed>/photos_4058-aw.bmp to 199.91.153.218/<removed>/1fr0hylfy0295da/DSC01202404-JM0aVF85MLQlK4FucrYjMyU21k30iE.PSD.exe. This is a program file which we detect as Worm:Win32/Dorkbot.A.

We have seen the worm use the following web links in the Facebook messages it tries to post:

  • mediafire.com/<removed>/photos_0839-CY.bmp
  • mediafire.com/<removed>/photos_4058-aw.bmp
  • mediafire.com/<removed>/photos_di64-nu.gif
  • mediafire.com/<removed>/photos_7043-QM.gif
  • mediafire.com/<removed>/photos_0048-sy.png
  • mediafire.com/<removed>/photos_1101-DL.bmp
  • mediafire.com/<removed>/photos_4601-Qn.png
  • mediafire.com/<removed>/photos_4922-GO.gif
  • mediafire.com/<removed>/photos_di77-WR.bmp
  • mediafire.com/<removed>/photos_6980-FW.png
  • mediafire.com/<removed>/photos_4505-XA.jpeg
Additional information

When run, Worm:Win32/Dorpiex.A checks if it is running in Sandboxie, which is a sandbox or virtual environment. If the worm determines that it is, then it exits immediately. Sandboxes are sometimes used by malware analysts; it's likely that the worm is checking this to evade detection.



Analysis by Shawn Wang

Last update 17 May 2013

 

TOP

Malware :

Family: