Click on screenshot to zoom
Danger level 7
Type: Worms
Common infection symptoms:
  • Blocks internet connection
  • Block exe files from running
  • Installs itself without permissions
  • Connects to the internet without permission
  • Normal system programs crash immediatelly
  • Slow internet connection
  • System crashes
  • Slow Computer
Other mutations known as:
Worm.Dorkbot.A

Worm.Dorkbot

Worm.Dorkbot is a malicious worm which spreads through instant messaging services such as Windows Live and Yahoo! Messenger, and removable drives. This malicious worm also contains backdoor functionality, which will grant complete access to remote attackers to the infected PC. Worm.Dorkbot also operates under various aliases, one of which is:

Trojan.Win32.Scar.drih

This worm was first released on 9 March 2011, and has gone on to infect thousands of PCs across the globe. What makes it even more dangerous is the fact that Worm.Dorkbot does not present any obvious symptoms, and the only symptoms that would indicate the presence of the worm on the PC will come from installed security software. This will make it much more difficult for the user to detect and remove Worm.Dorkbot from the system.

After Worm.Dorkbot enters the system, it will execute itself and copy itself to the %AppData% directory using randomly generated 6 letter file names, as an example ozkqke.exe. It will modify the following entry to execute this file at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: ""
With data: "%appdata%\.exe"

One running, Worm.Dorkbot will inject its code into explorer.exe, as well as into many other running processes on the infected PC. The number of processes Worm.Dorkbot is able to inject into depends on whether it has been run with administrator privileges.

Worm.Dorkbot will connect to particular IRC servers, joining channels and waiting for further commands from its developers. Following is a list of servers Worm.Dorkbot has been known to connect to without the user’s knowledge:

shuwhyyu.com
lovealiy.com
yegyege.com

Developers behind Worm.Dorkbot can instruct the worm to obtain the affected PC’s IP address and location by connecting to api.wipmania.com. It will then collect the infected PC’s operating system type, current user privilege level and locale.

The worm will also be instructed to stop the user from viewing or altering its files. This is done by hooking the following functions inside which it is injected:

NtQueryDirectoryFile
NtEnumerateValueKey
CopyFileA/W
DeleteFileA/W

The worm will also block the user’s access to the following security websites:

avast.
avg.
avira.
bitdefender.
bullguard.
clamav.
comodo.
emsisoft.
eset.
fortinet.
f-secure.
garyshood.
gdatasoftware.
heck.tc
iseclab.
jotti.
kaspersky.
lavasoft.
malwarebytes.
mcafee.
necare.live.
norman.
norton.
novirusthanks
onlinemalwarescanner.
pandasecurity.
precisesecurity.
sophos.
sunbeltsoftware.
symantec

In order to get rid of Worm.Dorkbot, and limit the damage this malicious threat will be able to cause your PC destroy Worm.Dorkbot with the help of a powerful security tool, which will also adequately protect your PC against similar attacks in future.

Download Spyware Removal Tool to Remove* Worm.Dorkbot
  • Quick & tested solution for Worm.Dorkbot removal.
  • 100% Free Scan for Windows
disclaimer

How to manually remove Worm.Dorkbot

Files associated with Worm.Dorkbot infection:

dtca.exe
Leugur.exe
nmtd.exe
4C24.exe
mswdat1032.exe
Wbnmni.exe
7wondersres.dll
120D.exe
ogcv98.dll
fxUserServ.dll
_ex-68.exe
vkAHVCUBeFA.exe
FAE8.exe
mdm.exe
wins.exe
VideoPlayerSetup.exe
USB3Nw32.dll
svchost.exe
showmyhey.exe
OghDDYNXd.exe
lWyWpByYuAxScAkJuTlKxHbLuAcJlCsJpJoXiYlFgHnPaAaQgVqNkXuUyPhLsWlCoNmKbWcB.exe
JFhHPRcFiCtyNEO.exe
Framework.exe
B8DEA5BBB4F.exe
web2net.exe
Uaisim.exe
512E.exe
Xntkth.exe
Txnsnl.cmd
Okpkpy.exe
Mhwgws.exe
Inbubc.exe
17.exe
Yvhyhw.exe
ojber.exe
Obisig.cmd
4C24.exe
xci32.exe
Wbnmni.exe
Wtqoqk.exe
279952476132251.exe
sqlesw32.dll
ntusbw32.dll
Vdwiwd.exe
nvidia.exe
Ehueui.exe
Ajnene.exe
x.exe
Vlzqzl.exe
Invmvu.exe
Hnfsfz.exe
Gywwwc.exe
Golglm.exe
Gdaoau.exe
E49.exe
6to4ex.dll
ecleaner.exe
Uvxsxm.exe
Pulold.exe
ogcv98.dll
winlog.exe
servidor.exe
nmtd.exe
n4ix2zw.exe
msado320.tlb
bootcfgx.exe
adsldp32.exe
mswdat1032.exe
lsass.exe
dtca.exe
7wondersres.dll
Leugur.exe
Updater.exe
D661.exe
6.exe
44.exe
5CF6.exe
servidor.exe
Ucpkpe.exe
adsldp32.exe
bootcfgx.exe
lsass.exe
8673.exe
11.exe
n4ix2zw.exe
winlog.exe
7369.exe
FA46.exe
msado320.tlb
4fff3b2e.exe
A738.exe

Worm.Dorkbot DLL's to remove:

ogcv98.dll
fxUserServ.dll
USB3Nw32.dll
sqlesw32.dll
ntusbw32.dll
6to4ex.dll
ogcv98.dll
7wondersres.dll
7wondersres.dll

Worm.Dorkbot processes to kill:

adsldp32.exe
11.exe
mswdat1032.exe
Updater.exe
5CF6.exe
8673.exe
winlog.exe
Leugur.exe
bootcfgx.exe
44.exe
4fff3b2e.exe
_ex-68.exe
vkAHVCUBeFA.exe
FAE8.exe
mdm.exe
wins.exe
VideoPlayerSetup.exe
svchost.exe
showmyhey.exe
OghDDYNXd.exe
lWyWpByYuAxScAkJuTlKxHbLuAcJlCsJpJoXiYlFgHnPaAaQgVqNkXuUyPhLsWlCoNmKbWcB.exe
JFhHPRcFiCtyNEO.exe
Framework.exe
B8DEA5BBB4F.exe
web2net.exe
Uaisim.exe
512E.exe
Xntkth.exe
Okpkpy.exe
Mhwgws.exe
Inbubc.exe
17.exe
Yvhyhw.exe
ojber.exe
4C24.exe
xci32.exe
Wbnmni.exe
Wtqoqk.exe
279952476132251.exe
Vdwiwd.exe
nvidia.exe
Ehueui.exe
Ajnene.exe
x.exe
Vlzqzl.exe
Invmvu.exe
Hnfsfz.exe
Gywwwc.exe
Golglm.exe
Gdaoau.exe
E49.exe
ecleaner.exe
Uvxsxm.exe
Pulold.exe
winlog.exe
servidor.exe
nmtd.exe
n4ix2zw.exe
bootcfgx.exe
adsldp32.exe
mswdat1032.exe
lsass.exe
dtca.exe
Leugur.exe
n4ix2zw.exe
Ucpkpe.exe
A738.exe
lsass.exe
6.exe
FA46.exe
nmtd.exe
servidor.exe
Wbnmni.exe
7369.exe
4C24.exe
dtca.exe
120D.exe
D661.exe
Disclaimer

Comments

  1. bairon Apr 12, 2012

    Thanks, i was solved this problem without re-installing my windows and it´s very efficient.

  2. Pcthreat Apr 13, 2012

    bairon,

    Glad to know we could help!

  3. Carlos Silva Sep 12, 2012

    i got it in pendrive and i cant take off :(

  4. kr1k3n2 Oct 29, 2012

    i need your help the issas.exe became a critical system process so what do i do now?

Post comment — WE NEED YOUR OPINION!

Comment:
Name:
Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.