Aliases
Comments
Donbot is named after the string 'don' found in the malware body, notably the don.hmarhelo.com domain name which it tries to connect to. Donbot concentrates mainly on pharmaceutical spam, but has also been observed sending material relating to replica watches and adult dating.
Features
- Relatively unsophisticated
- Communicates on random TCP ports above 2200
- Plain text templates
- Performs a DNS lookup of host IP against a RBL blacklist.
Spamming Rate
- 8000 messages per hour per bot
Command and Control
Donbot attempts to connect to the domain don.hmarhelo.com (recent samples connect to grund23.gotgeeks.com), using random TCP ports greater than 2200. It may also try several hardcoded IP addresses. Once connected with its control server, Donbot downloads a plain text spamming instruction file which includes an email template and email address lists. Here is the beginning of a sample template file:
HALLO
Hash: 2639d096d1d87b16efea171d86d4c0e
ID: dontest (or idontcare)
Session:
Domain: NA
RBL: 0
Sent: 0
Failed: 0
Catchall: 0
CHUNK
Session: de10eda523f0f6d5e3e6578db3fee4e1
IP: xxx.xxx.xxx.xxx
Keep-Alive: 3
RBL: dnsbl.njabl.org
Max-To: 20
Max-Threads: 20
ProxyLock: 0
HeloDomains: 304206
Note the use of a DNS Blacklist (dnsbl.njabl.org) which the bot uses to check whether host's IP is blacklisted prior to spamming.
Malware Behavior on Host
Donbot drops a copy of itself using the filename:
- C:\WINDOWS\system32\sysmgr.exe
It also drops an encrypted DLL file in %systemroot%\SYSTEM folder using the filename msvcrt2.dll.
The malware creates an autorun registry entry execute itself on Windows start-up:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Microsoft(R) System Manager = "C:\WINDOWS\system32\sysmgr.exe"
And it also creates the following TCP settings in the system registry:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- "TcpTimedWaitDelay” = "0x0000001E" "MaxUserPort" = "0x00008000"
