Microsoft security software detects and removes this threat.

This threat part of the Dorkbot family of worms. These threats spread through instant messages and infected removable drives (such as USB flash drives).

There is more information in the Win32/Dorkbot family description.

What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Scan removable drives

Remember to scan any removable or portable drives. If you have Microsoft security software, see this topic on our software help page:

Disable Autorun

This threat tries to use the Windows Autorun function to spread via removable drives, like USB flash drives. You can disable Autorun to prevent worms from spreading:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Worm:Win32/Dorkbot!lnk is a detection for shortcut files created by Worm:Win32/Dorkbot, a family of worms that spread via instant messaging and removable drives.

LNK files detected as Worm:Win32/Dorkbot!lnk are commonly found on removable drives, and are used to run a Worm:Win32/Dorkbot executable file also found on the drive. If the user tries to open the shortcut file, it launches the worm executable and also opens an Explorer window. The shortcut file commonly tries to launch the worm executable located in one of the following folders on the drive:

  • <removable drive>\recycler
  • <removable drive>\AdobeReader

The file name used by Dorkbot is usually generated randomly with a .exe or .jpg extension, for example:

  • 0xd80a89c7.exe
  • DSCI5271.jpg

See our family description, Worm:Win32/Dorkbot, for more information.

Analysis by Michael Johnson & Amir Fouda


Alerts from your security software may be the only symptom.


Alert level: Severe
First detected by definition: 1.105.1041.0
Latest detected by definition: and higher
First detected on: Jun 01, 2011
This entry was first published on: Jun 01, 2011
This entry was updated on: Sep 15, 2014

This threat is also detected as:
No known aliases