New Dorkbot adds suite of new features (Feb 8, 2013)


The SonicWALL Threat Research team discovered a new variant of the Dorkbot Trojan (also known as NGRBot). This Trojan was covered in a previous Sonicalert where it was targeting Skype users. The features in this variant are similar to the previous variant with the exception of spreading via Skype.

Infection Cycle:

The sample we analysed makes no changes to the file system or windows registry. It does however have the ability to do that by downloading further payloads as we have seen in previous variants.

The Trojan uses the following icon:

The Trojan makes the following DNS requests:


Upon execution the Trojan injects code into the current running instance of explorer.exe [Detected as GAV: Dorkbot.B_67 (Trojan)]:

The Trojan determines its IP address by making a request to It then proceeds to join channel #main on a private IRC server. The IRC server does not allow various commands such as channel and user listing:

It also downloads a text file from a remote webserver containing a list of subdomains of a banking website. This list can be either for DDoS attacks or bank site redirection via editing the hosts file:

The Bots idle on IRC awaiting further instructions from its operators. They are given names according to geographical location and operating system version.

During analysis we discovered that the Trojan contains a suite of malicious capabilities. The malicious modules can be utilized by issuing commands via the IRC channel that the bot has joined. The modules are listed as follows:

  • UDP/SYN Flood
  • Visit HTTP URL (for Pay-per-click schemes)
  • Log into and download files from FTP and POP3 email servers
  • Update bot/download file from remote webserver with MD5 verification
  • Execute file on system
  • Start a Socks4 proxy server
  • Spread via MSN Messenger Service
  • Spread via connected USB drives

At the time of analysis it was determined that the botnet operators are actively monitoring connections to their IRC server. We were promptly banned from the IRC server due to performing activity not conforming to the bots typical behavior.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Ruskill.QCE (Trojan)
  • GAV: Dorkbot.B_67 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.