W32/Dotor-A

Name: W32/Dotor-A
Type: Win32 worm
Date: 28 June 2002


At the time of writing Sophos has received no reports from users
affected by this worm. However, we have issued this advisory
following enquiries to our support department from customers.

More information about W32/Dotor-A can be found at
http://www.sophos.com/virusinfo/analyses/w32dotora.html

 

W32/Dotor-A is a worm that arrives in an email with the following characteristics:
Subject line: NewTool for Word Macro Virus
Message text: This tool allows you to protect you against unknown virus.
Click on the attached file to run this freeware.
Best Regards. Have a nice day
Attached file: DocTor.exe

The worm copies itself to the file Doctor.exe in the Windows folder and will link this file to the registry entry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DocTor

so that the worm is executed when Windows starts up.

The worm will email the first 500 contacts in the infected user's Microsoft Outlook address book.

W32/Dotor-A will drop a VBScript named doctor.vbs to the startup folder. This script will be detected as VBS/Dotor-A.

A text file with a random eight character name will be created in the folder C:\. The text file is used by the VBScript.

The VBScript starts a Microsoft Word application process and infects the global template of the Word application with a macro virus. The text file is deleted after the global template has been infected. This macro virus will be detected by WM97/Dotor-A.

The infected global template file will be able to infect Word documents
and will also drop a copy of the worm and set the previously mentioned
registry entry.