Worm:W32/Dorkbot.A has backdoor and trojan capabilities, and spreads via removable drives and over Instant Messaging (IM) networks.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
For general instructions on disinfecting a local network infection, please see Eliminating A Local Network Outbreak.
The following precautionary security measures are also recommended to prevent further potential data loss until the machine/network is successfully disinfected:
A recent run of Dorkbot worm activity has been observed spreading over the Skype messaging network. Like most such worms, this latest outbreak is spread in messages with social engineered messages such as:
If the malicious link is clicked, a malicious payload (also detected as Win32.Floppier.A) is dropped onto the user's machine. A successful infection results in a backdoor program being installed on the machine, which is capable of performing the following actions:
This latest run has the following additional characteristics:
Older details for variants in the Dorkbot family are listed below.
Dorkbot.A propagates by creating a copy of itself in the %AppData% and RECYCLER directories of any available removable drives. Under default settings, these directories are normally hidden.
The worm next creates shortcut files on the removable drives, pointing to the locations of the worm copies in the hidden directories. If a user unwittingly clicks a worm-created shortcut, the worm copy it points to is executed.
While active, Dorkbot attempts to steal login information for a number of popular websites, including PayPal, Gmail, Netflix and Facebook.
The worm will also block access to specific domain names that include these strings (all related to antivirus vendors or security services):
Date Created: 2011-10-13 18:00:00.0
Date Last Modified: 2011-10-13 18:00:00.0