FRISK Software International


Summary of W32/Dotor@mm
Alias:W32.Dotor
Discovered: 28 Jun 2002
Definition files: 28 Jun 2002
 
Jump to:
Brief description
Technical description

Brief Description
Dotor is a mass-mailer worm with several different components. The UPX packed body of the worm is around 11 kilobytes in size that is 40 kilobytes unpacked. Dotor attempts to send itself to all the addresses found in the Microsoft Outlook Address Book.


Technical Description

Messages sent by the worm are composed as follows.


Subject: NewTool for Word Macro Virus
 Body:


 This tool allows you to protect you against  unknown
 macro virus.


 Click on the attached file to run this freeware.


 Best Regards. Have a nice day


 Attachment: DocTor.exe

Binary part

The binary part of the worm drops the scripts and sends e-mails with infected attachments. When the infected attachment is started it copies itself to the Windows directory and 'Doctor.exe'. The worm body is then converted to a script file and dropped to C:\ with a random name and .TXT extension. Another script file is dropped to the user's StarUp folder as 'doctor.vbs'. As a last step the worm adds itself to the registry under the Run key as:


'HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DocTor'

After system is restarted once the mass-mailer part activates. First it sleeps for 20 seconds then it deletes the 'doctor.vbs' from the user's StartUp folder.

After this it checks if the Internet connection is available and goes to a wait loop if it's not. When the computer's Internet connection becomes active the worm connects to the Outlook Address Book and sends an infected e-mail to each address it finds there.

Script and macro part

When the system is restarted, the script in the user's startup folder will be executed. This script, 'doctor.vbs', will disable macro virus protection for both Microsoft Word 2000 and Word XP, and infects the Word's global template. After that Dotor works as macro virus, and will infect all documents opened thereafer.

When an infected document is opened, Dotor will disable the macro virus protection and drop the binary part as 'Doctor.exe' into Windows installation directory. This program is set to execute in the next system restart via registry. Finally the macro part will check if the global template is already infected and if it is not, it will be infected.



[Analysis: Gergely Erdelyi and Sami Rautiainen; F-Secure Corp.; June 28th, 2002]
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is