Microsoft security software detects and removes this threat.

This worm is a member of the Win32/Dorkbot family. It can give a hacker access and control of your PC.

It spreads via instant messaging and USB flash drives.

What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Scan removable drives

Remember to scan any removable or portable drives. If you have Microsoft security software, see this topic on our software help page:

Disable Autorun

This threat tries to use the Windows Autorun function to spread via removable drives, like USB flash drives. You can disable Autorun to prevent worms from spreading:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior


When it runs, Worm:Win32/Dorkbot.A copies itself to the %APPDATA% directory using a randomly generated six letter file name (for example, "ozkqke.exe").

It modifies the following registry entry to ensure that it runs each time you start your computer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<randomly generated six letter string>"
With data: "%appdata%\<malware file name>.exe"
For example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "ozkqke"
With data: "%appdata%\ozkqke.exe"

Once running, the worm injects code into "explorer.exe", as well as to many other running processes on your computer. Note that the number of processes it is capable of injecting into is dependent on whether the currently logged-on user is running with Administrator privileges or not. Malware often does this in order to hide itself from security software.

Spreads via…

USB flash drives

The worm registers a device notification so that it is notified whenever a USB flash drive is plugged into your computer. The worm then copies itself to the rdrive, using a variable file name, and creates an Autorun configuration file named "autorun.inf" pointing to the malware. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.

Instant messaging/Instant Relay Chat (IRC)

Using backdoor functionality the worm can be ordered by a hacker to spread via instant messaging platforms such as MSN, Pidgin chat, Xchat and mIRC. Messages are sent to all of your contacts. The messages sent, and the frequency at which the messages are sent are configured by the hacker.


Allows backdoor access and control

Worm:Win32/Dorkbot.A connects to a particular IRC server, joins a channel and waits for commands. In the wild, we have observed the worm using IRC servers on the following domains for this purpose:


Using this backdoor, a hacker can perform a number of different actions on your computer. As well as being able to spread via instant messaging applications, the worm can also be ordered to perform the following actions:

  • Get information about your computer
    The worm contacts "" for your computer's IP and location. It then collects your computer's operating system type, current user privilege level (for example, whether you have administrator rights) and locale
  • Protect itself
    The worm can be instructed to prevent you from viewing or tampering with its files. This is done by hooking the following functions for all processes inside which it is injected:
    • CopyFileA/W
    • DeleteFileA/W
    • NtEnumerateValueKey
    • NtQueryDirectoryFile
  • Change your computer's files; the worm can be instructed to overwrite the following files in order to prevent itself from being detected and removed:
    • cmd.exe
    • ipconfig.exe
    • regedit.exe
    • regsvr32.exe
    • rundll32.exe
    • verclsid.exe
  • Steal passwords/sensitive data; the worm is capable of intercepting Internet browser communications with various websites and obtaining sensitive information. This is done by hooking various APIs within Firefox and Internet Explorer. The malware can also target FTP credentials
  • Infect websites; the worm may be ordered to log into a remote FTP server and infect various HTML files by adding an IFrame; this action may help the worm to spread
  • Block access to security websites; the worm may be ordered to block user access to sites with the following strings in their domain:
    • avast.
    • avg.
    • avira.
    • bitdefender.
    • bullguard.
    • clamav.
    • comodo.
    • emsisoft.
    • eset.
    • fortinet.
    • f-secure.
    • garyshood.
    • gdatasoftware.
    • iseclab.
    • jotti.
    • kaspersky.
    • lavasoft.
    • malwarebytes.
    • mcafee.
    • norman.
    • norton.
    • novirusthanks
    • onlinemalwarescanner.
    • pandasecurity.
    • precisesecurity.
    • sophos.
    • sunbeltsoftware.
    • symantec
    • threatexpert.
    • trendmicro.
    • virscan.
    • virus.
    • virusbuster.nprotect.
    • viruschief.
    • virustotal.
    • webroot.

Using the backdoor, a hacker can also order the worm to:

  • Download and run files, including updates
  • Visit specified URLs
  • Perform DDoS (Distributed Denial of Service) attacks using SYN or UDP floods against a specified target
  • Stop you from downloading files with the following file extensions:
    • exe
    • com
    • pif
    • scr

Analysis by Matt McCormack


Alerts from your security software may be the only symptom.


Alert level: Severe
First detected by definition: 1.99.894.0
Latest detected by definition: 1.209.3245.0 and higher
First detected on: Mar 09, 2011
This entry was first published on: Mar 15, 2011
This entry was updated on: Sep 15, 2014

This threat is also detected as:
  • Trojan.Win32.Scar.drih (Kaspersky)