Threat Detail

  • Malware Type: Trojan
  • Malware Sub-type: Win32
  • Protection Added: 2011-12-09

This is a Trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Microsoft - Worm:Win32/Dorkbot!lnk
Kaspersky - Trojan.WinLNK.Runner.bl
Ikarus  - Worm.Win32.Dorkbot
Fortinet - LNK/AutoRun.HXW!tr
Drweb  - Win32.HLLW.Autoruner.59834

Minimum Engine


File Length


Description Added


Description Modified


Malware Proliferation

W32/IRCBot.gen.bs!lnk is a link file which is dropped by the file 13a0ea84.exe [Detected as W32/IRCBot.gen.bs]. The link file uses the below argument to execute the source file.

%windir%\system32\cmd.exe /c "start %cd%RECYCLER\13a0ea84.exe &&%windir%\explorer.exe %cd%imprimir.cfm_arquivos

Upon execution the link file tries to launch the source file from the following the location:


All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.
Presence of above mentioned files and registry keys.
Presence of unexpected connection to the above mentioned sites.