W32/Dorkbot.BAA!tr is a generic detection for a type of trojan that drops other malware onto the compromised computer. Since this is a generic detection, files that are detected as W32/Dorkbot.BAA!tr may have varying behavior.
Below are examples of some of these behavior:

  • It drops a copy of itself into the user's Application Data folder with a randomized file name.

  • Network activities are observed to connect to the following sites via TCP port 1866:
    • IP: 69.43{Removed}
    • IP: 112.125{Removed}
    • IP: 95.142{Removed}

  • Deletes its original copy after execution.

Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.