Name: W32/Dotor-A Type: Win32 worm Date: 28 June 2002 At the time of writing Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. More information about W32/Dotor-A can be found at http://www.sophos.com/virusinfo/analyses/w32dotora.html
W32/Dotor-A is a worm that arrives in an email with the following characteristics: Subject line: NewTool for Word Macro Virus Message text: This tool allows you to protect you against unknown virus. Click on the attached file to run this freeware. Best Regards. Have a nice day Attached file: DocTor.exe The worm copies itself to the file Doctor.exe in the Windows folder and will link this file to the registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DocTor so that the worm is executed when Windows starts up. The worm will email the first 500 contacts in the infected user's Microsoft Outlook address book. W32/Dotor-A will drop a VBScript named doctor.vbs to the startup folder. This script will be detected as VBS/Dotor-A. A text file with a random eight character name will be created in the folder C:\. The text file is used by the VBScript. The VBScript starts a Microsoft Word application process and infects the global template of the Word application with a macro virus. The text file is deleted after the global template has been infected. This macro virus will be detected by WM97/Dotor-A. The infected global template file will be able to infect Word documents and will also drop a copy of the worm and set the previously mentioned registry entry.