Microsoft security software detects and removes this threat.

This worm posts messages to your Facebook and Skype friends with links to malicious websites.

It is installed on your PC when you visit a link sent to you in a Facebook or Skype message. It is also downloaded by other malware, such as Trojan:Win32/Napolar.A.

What to do now

The following Microsoft security software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Threat behavior


Worm:Win32/Dorpiex.B tries to contact a remote server to get the list of URLs that it uses in the messages it spreads on Facebook and Skype.

We have seen it try to contact the following servers:


The worm then searches for Facebook authentication cookies from the following web browsers: 

  • Chrome
  • Firefox

It also tries to gather Facebook authentication cookies for Firefox using SQLite

It might copy itself as <current folder>\bluetoothheadsetproxy.exe. This name can change and is hardcoded inside the malware binary.

Spreads via...

Facebook posts

Worm:Win32/Dorpiex.B uses the cookies it finds to try and send private messages to all your online Facebook friends.

The message includes a link to a malicious website. Both the malicious website URLand the message text can change.

Skype messenger

The worm monitors whether Skype is installed on your PC and tries to distribute other malware using the web link retrieved from the C&C server.

Other Malware

We have seen this worm being downloaded and installed by Trojan:Win32/Napolar.A.


Downloads other malware

The URL that the worm uses in the messages it sends can redirect to malicious websites that install other malware on your PC.

A hacker can also tell the worm to uninstall itself from your PC to remove older versions of itself.

Analysis by Rodel Finones



The following could indicate that you have this threat on your PC:

  • You or your friends receive message from your Facebook or Skype account that you didn't write


Alert level: Severe
First detected by definition: 1.155.2152.0
Latest detected by definition: 1.203.1472.0 and higher
First detected on: Aug 13, 2013
This entry was first published on: Aug 13, 2013
This entry was updated on: Oct 25, 2013

This threat is also detected as:
No known aliases