WORM_DORKBOT.BY
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This worm arrives by connecting affected removable drives to a system. It may be unknowingly downloaded by a user while visiting malicious websites.
It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats.
TECHNICAL DETAILS
Arrival Details
This worm arrives by connecting affected removable drives to a system.
It may be unknowingly downloaded by a user while visiting malicious websites.
Installation
This worm drops the following component file(s):
- {removable drive}\recycler.lnk
It creates the following folders:
- {removable drive}\RECYCLER
Download Routine
This worm connects to the following malicious URLs:
- {BLOCKED}ney.biz
- {BLOCKED}ussy.info
- {BLOCKED}rebitch.com
Other Details
This worm connects to the following URL(s) to get the affected system's IP address:
- http://api.{BLOCKED}ia.com
SOLUTION
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Scan your computer with your Trend Micro product and note files detected as WORM_DORKBOT.BY
Step 3
Restart in Safe Mode
Step 4
Search and delete this file
Step 5
Search and delete this folder
Step 6
Search and delete the file detected as WORM_DORKBOT.BY
Did this description help? Tell us how we did.