Discussion in 'malware problems & news' started by FanJ, Jul 1, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: W32/Dotor-A
    Type: Win32 worm
    Date: 28 June 2002

    At the time of writing Sophos has received no reports from users
    affected by this worm. However, we have issued this advisory
    following enquiries to our support department from customers.

    More information about W32/Dotor-A can be found at
  2. FanJ

    FanJ Guest

    W32/Dotor-A is a worm that arrives in an email with the following characteristics:
    Subject line: NewTool for Word Macro Virus
    Message text: This tool allows you to protect you against unknown virus.
    Click on the attached file to run this freeware.
    Best Regards. Have a nice day
    Attached file: DocTor.exe

    The worm copies itself to the file Doctor.exe in the Windows folder and will link this file to the registry entry


    so that the worm is executed when Windows starts up.

    The worm will email the first 500 contacts in the infected user's Microsoft Outlook address book.

    W32/Dotor-A will drop a VBScript named doctor.vbs to the startup folder. This script will be detected as VBS/Dotor-A.

    A text file with a random eight character name will be created in the folder C:\. The text file is used by the VBScript.

    The VBScript starts a Microsoft Word application process and infects the global template of the Word application with a macro virus. The text file is deleted after the global template has been infected. This macro virus will be detected by WM97/Dotor-A.

    The infected global template file will be able to infect Word documents
    and will also drop a copy of the worm and set the previously mentioned
    registry entry.
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.