Worm:Win32/Dorkbot.AH is a network-spreading worm that arrived on the malware scene as part of the larger Dorkbot family, a collection of modular threats designed to steal credentials, propagate across networks, and enlist infected machines into botnet operations. This particular variant combines old-school worm propagation techniques with modern data theft capabilities, spreading through removable drives, instant messaging clients, and network shares while quietly harvesting passwords and banking information in the background. What makes Dorkbot.AH especially troublesome for home users and small businesses is its ability to disable security software and establish persistent backdoor access, turning infected computers into remotely controlled nodes in a criminal infrastructure.
Once established on a system, this worm doesn't just sit idle—it actively seeks new targets while maintaining communication with command-and-control servers to receive instructions and updates. The infection can spread to USB drives, external hard drives, and mapped network shares, making it particularly problematic in office environments where employees share files across a local network. We've seen this variant cause significant headaches for Roswell area businesses when a single infected laptop introduced it to an entire office network over a weekend.
Threat Profile
| Attribute | Details |
|---|---|
| Family | Dorkbot worm family (Win32/Dorkbot variants) |
| Classification | Network worm, credential stealer, botnet agent |
| Aliases | W32/Dorkbot.AH, WORM:WIN32/Dorkbot!AH, Trojan.Dorkbot, Ngrbot (older name) |
| Platform | Windows XP through Windows 11 (32-bit and 64-bit) |
| Discovered | This variant circa 2012–2013; family active since 2011 |
| Distribution | Removable media autorun, IM spam links, exploit kits, network shares, social engineering |
| Persistence | Registry Run keys, infected removable media, network share implants, scheduled tasks |
| Primary Capabilities | Credential theft (browsers, FTP, email), keylogging, USB/network propagation, DDoS participation, remote command execution, security software termination |
| Network Behavior | Connects to HTTP-based C2 servers (domains and IPs vary), downloads additional modules, exfiltrates stolen data, receives botnet commands |
| Typical Artifacts | Random-named executables in %APPDATA% or %TEMP%, autorun.inf files on removable drives, modified registry Run keys, dropped DLL modules |
| Target Data | Browser stored passwords, FTP credentials, email account info, banking/financial site logins, cryptocurrency wallets (in later variants) |
| Removal Difficulty | Moderate to high—requires thorough scanning, manual registry cleanup, and disinfection of all connected removable media and network shares |
How It Spreads
Dorkbot.AH employs multiple propagation methods, with removable media being its most effective vector. When you insert an infected USB drive into your computer, the worm exploits Windows autorun features (on older systems) or relies on social engineering—creating folders that look like legitimate content with hidden executables masquerading as documents or media files. Users double-clicking what appears to be their expected files actually launch the worm instead. The infection then immediately copies itself to any other removable drives connected to the system, perpetuating the cycle.
Network propagation represents the second major spread mechanism. Dorkbot.AH scans local network ranges for accessible shares—particularly those with weak passwords or no authentication at all. When it finds an accessible share, it copies itself there and may modify startup scripts or create scheduled tasks on remote machines if it has sufficient privileges. This is how a single infected laptop brought home from a coffee shop can infect an entire small office overnight.
The worm also spreads through instant messaging platforms and social media, though this method has become less effective as platforms improved their security. Infected systems would send malicious links to contacts through Skype, Windows Live Messenger (in its heyday), and other IM clients, with messages crafted to appear legitimate—often mimicking the user's typical communication style by analyzing chat logs. Additional distribution vectors include:
- Exploit kit drive-by downloads from compromised websites hosting malicious advertising or injected scripts
- Malicious email attachments disguised as invoices, shipping notifications, or document updates
- Software bundle installers from sketchy freeware sites that package the worm with legitimate-looking applications
- Torrent downloads and warez sites where the worm is bundled with pirated software, games, or media files
- Infected external hard drives borrowed from friends, colleagues, or used at print shops and service bureaus
- Peer-to-peer file sharing networks where the worm disguises itself as popular movies, albums, or software
What It Does On Your Machine
Upon execution, Dorkbot.AH immediately begins establishing persistence and disabling defenses. The worm copies itself to a random subfolder within your user profile directories—typically %APPDATA% or %LOCALAPPDATA%—using a randomly generated folder name that looks system-like (often a GUID or string of seemingly random characters). It then creates registry entries in the Run and RunOnce keys to ensure it launches every time Windows starts, before any security software has a chance to intervene.
One of the worm's first actions is attempting to terminate or disable antivirus and security software. It maintains an internal list of common security process names and services—everything from Windows Defender to commercial products—and attempts to kill these processes while modifying registry keys to prevent them from restarting. On systems without up-to-date protection, this often succeeds completely. Even when it fails to disable security software entirely, the worm may succeed in creating exceptions or whitelists that allow its processes to run undetected.
The credential-stealing component runs continuously in the background, targeting stored passwords across multiple applications. Dorkbot.AH specifically targets web browser password vaults (Chrome, Firefox, Internet Explorer, Edge), FTP client saved sessions (FileZilla, WinSCP, others), email client credentials (Outlook, Thunderbird), and any other applications that store authentication data in accessible formats. The stolen information is packaged and transmitted to command-and-control servers, often using HTTP POST requests to compromised legitimate websites or dynamically generated domain names.
Meanwhile, the worm maintains contact with its botnet infrastructure, checking in periodically for new instructions. These commands might direct it to participate in distributed denial-of-service attacks, download and execute additional malware payloads, update itself to a newer variant, or target specific websites for credential phishing. The modular nature of the Dorkbot family means your infected computer might receive different capabilities over time based on what its controllers need from the botnet at any given moment.
Manual Removal — Step by Step
Disconnect from Network and Remove External Media
Before doing anything else, physically disconnect from the internet by unplugging your Ethernet cable or disabling Wi-Fi. Remove all USB drives, external hard drives, memory cards, and any other removable storage. Label each removed item as potentially infected—you'll need to scan them separately later. This prevents the worm from spreading further and stops communication with its command servers.
Boot into Safe Mode with Networking
Restart your computer and boot into Safe Mode with Networking. On Windows 10/11, hold Shift while clicking Restart, then navigate to Troubleshoot → Advanced Options → Startup Settings → Restart, and select option 5. On Windows 7/8, tap F8 repeatedly during boot and select Safe Mode with Networking from the menu. Safe Mode loads only essential drivers and services, preventing most malware from launching automatically while still allowing you to download removal tools.
End Malicious Processes
Open Task Manager (Ctrl+Shift+Esc) and look for suspicious processes—particularly random-named executables running from user profile folders, processes with names mimicking system services but running from wrong locations, or anything consuming network bandwidth unexpectedly. Right-click suspicious processes, select "Open file location" to note the path, then end the process. Dorkbot.AH commonly uses names like "svchost.exe" or "explorer.exe" but runs them from %APPDATA% rather than System32.
Remove Persistence Registry Entries
Press Win+R, type "regedit" and hit Enter. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Look for entries pointing to executables in %APPDATA%, %LOCALAPPDATA%, or %TEMP% folders—particularly those with random names or GUID-style folder paths. Right-click and delete any suspicious entries. Also check the RunOnce keys in the same locations.
Delete the Worm Executable and Folders
Using File Explorer, navigate to the locations you identified in earlier steps (usually %APPDATA% or %LOCALAPPDATA%). Enable viewing of hidden files and system files through View → Options → View tab. Delete the entire folder containing the worm executable—often a GUID-style folder name or random character string. Check %TEMP% for .tmp.exe files and delete those as well. You may need to take ownership of some folders if permission errors appear.
Check for Scheduled Tasks
Open Task Scheduler (search for it in the Start menu). Review the Task Scheduler Library for any tasks with unfamiliar names, particularly those set to run executables from user profile directories or with no publisher information. Right-click suspicious tasks and select Delete. Dorkbot variants sometimes create tasks with names mimicking system updates or maintenance operations.
Run Malwarebytes and Secondary Scanner
Download Malwarebytes (the free version works fine) and run a complete Threat Scan while still in Safe Mode. Let it quarantine everything it finds. After Malwarebytes completes, download and run a second-opinion scanner like HitmanPro or ESET Online Scanner. Different scanners have different detection databases, and Dorkbot's modular nature means you want thorough coverage. This step typically takes 45 minutes to two hours depending on drive size.
Clean Removable Media and Network Shares
Before reconnecting to your network or inserting USB drives, you need to disinfect them. One at a time, connect each removable drive while still in Safe Mode and immediately scan it with Malwarebytes. Delete any autorun.inf files manually. Check for hidden folders (especially RECYCLER or System Volume Information) containing executables. If you have network shares, scan them from another clean machine or after completing your full cleanup and ensuring your security software is active.
Reset Browser Settings and Change Passwords
Because Dorkbot.AH steals stored credentials, reset all your web browsers to default settings—this clears out any injected scripts or extensions the worm may have installed. Then, from a known-clean device (smartphone or different computer), change passwords for all important accounts: email, banking, social media, work accounts, and any other services where you've stored credentials in your browser. Enable two-factor authentication wherever available.
Reboot Normally and Verify Cleanup
Restart your computer normally and let Windows boot into regular mode. Reconnect to the internet and immediately run Windows Update to ensure all security patches are current. Run one final full scan with your primary antivirus software now that it's active again. Monitor Task Manager for a few days to confirm no suspicious processes return. Check your browser homepage and search settings to ensure they haven't been changed. If everything remains clean for 48 hours, you've likely succeeded.
Prevention
- Disable AutoRun for all removable media. Open Group Policy Editor (gpedit.msc) and navigate to Computer Configuration → Administrative Templates → Windows Components → AutoPlay Policies. Enable "Turn off AutoPlay" for all drives. This single step blocks the most common Dorkbot spread vector.
- Never use found or borrowed USB drives without scanning them first. When someone hands you a flash drive or you need to use one from a print shop, scan it with an up-to-date antivirus before opening any files. Better yet, use cloud storage services for file transfer instead of physical media whenever possible.
- Maintain active, updated security software. Free antivirus is better than nothing, but consider investing in a reputable paid solution that includes real-time behavioral monitoring and web filtering. Keep both your antivirus definitions and Windows itself fully updated—many infections exploit old vulnerabilities that have been patched for years.
- Use strong, unique passwords and implement network security. If you run a home or office network with shared folders, protect them with strong passwords. Never leave network shares open without authentication. Use WPA3 or at minimum WPA2 encryption on wireless networks, and change default router credentials immediately.
- Practice cautious clicking habits. Don't click links in instant messages, emails, or social media posts unless you're absolutely certain of their legitimacy. Even messages from friends could be malware-generated. When in doubt, contact the person through a different channel to verify they actually sent what you received.
- Avoid pirated software and suspicious download sites. Warez sites, torrent downloads, and "free" versions of paid software are heavily targeted distribution points for worms and trojans. The money you save isn't worth the risk to your data and identity.
- Keep browsers and plugins updated. Many infections arrive through outdated browser plugins—especially Java, Flash (now discontinued), and PDF readers. Keep everything updated, or better yet, uninstall plugins you don't actively need.
- Implement regular backup routines to isolated storage. Maintain backups on external drives that you disconnect after each backup session, or use cloud backup services. If worm infection does occur, you can restore clean files rather than gambling on complete malware removal.
Bring It In
Worm infections like Dorkbot.AH present challenges that go beyond typical malware removal. The network propagation aspect means you might be dealing with multiple infected machines, and the credential theft component means you're racing against time to change passwords before stolen information gets used. Our Roswell shop has the diagnostic tools to identify exactly which systems on your network are compromised, the forensic capability to determine what data may have been accessed, and the expertise to fully disinfect not just computers but network storage and removable media as well.
We're located right here in Roswell, and we understand that business downtime and data security aren't abstract concerns—they're your livelihood. Call us at (770) 695-6121 to describe what you're experiencing, or bring your infected computer directly to our shop during business hours. We'll provide an honest assessment of the infection scope, a clear timeline for cleanup, and straightforward pricing with no surprises. Many Dorkbot removals we complete same-day, getting you back to work quickly while ensuring the worm hasn't spread across your network or stolen credentials that put you at ongoing risk.