Never Ending Dorfs

Like a very bad itch, a new batch of the Dorf worms (also known as “Storm”) have resurfaced today.

SophosLabs analysts noticed a sharp increase in our spamtraps today and it was discovered to be related to the spread of a large malware campaign in the form of W32/Dorf-AW. On this occasion, the bad guys are taking advantage of the St Valentine’s Day festivities.

Like its previous incarnations, this new batch of Dorfs go through great lengths in an attempt to obfuscate their payload code by inserting randomised junk instructions in its program in an attempt to divert virus lab analysts’ attention and to subvert debugging applications aimed at unraveling the malware code.

W32/Dorf-AW also drops a payload of 2 other malware: a rootkit in the form of Troj/NtRootK-CW and a mass-mailing component (proactively detected by Sophos as Mal/Dorf-H).