Follow:

 

Worm:Win32/Dorkbot!lnk


Microsoft security software detects and removes this threat.

This threat is created by Worm:Win32/Dorkbot, a family of worms that spread by instant messaging and removable drives (such as USB flash drives).



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Disable Autorun functionality

This threat tries to use the Windows Autorun function to spread via removable drives, such as USB flash drives. 

You can find out how to turn off this feature in the article How to disable the Autorun functionality in Windows.

Threat behavior

Worm:Win32/Dorkbot!lnk is a detection for shortcut files created by Worm:Win32/Dorkbot, a family of worms that spread via instant messaging and removable drives.

LNK files detected as Worm:Win32/Dorkbot!lnk are commonly found on removable drives, and are used to run a Worm:Win32/Dorkbot executable file also found on the drive. If the user tries to open the shortcut file, it launches the worm executable and also opens an Explorer window. The shortcut file commonly tries to launch the worm executable located in one of the following folders on the drive:

  • <removable drive>\recycler
  • <removable drive>\AdobeReader

The file name used by Dorkbot is usually generated randomly with a .exe or .jpg extension, for example:

  • 0xd80a89c7.exe
  • DSCI5271.jpg

See our family description, Worm:Win32/Dorkbot, for more information.

Analysis by Michael Johnson & Amir Fouda


Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.


Prevention


Alert level: Severe
First detected by definition: 1.105.1041.0
Latest detected by definition: 1.167.509.0 and higher
First detected on: Jun 01, 2011
This entry was first published on: Jun 01, 2011
This entry was updated on: Aug 15, 2013

This threat is also detected as:
No known aliases