Dotor is a mass-mailer worm with several different components. The UPX packed body of the worm is around 11 kilobytes in size that is 40 kilobytes unpacked. Dotor attempts to send itself to all the addresses found in the Microsoft Outlook Address Book.
Messages sent by the worm are composed as follows.
Subject: NewTool for Word Macro Virus Body: This tool allows you to protect you against unknown macro virus. Click on the attached file to run this freeware. Best Regards. Have a nice day Attachment: DocTor.exe
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
The binary part of the worm drops the scripts and sends e-mails with infected attachments. When the infected attachment is started it copies itself to the Windows directory and 'Doctor.exe'. The worm body is then converted to a script file and dropped to C:\ with a random name and .TXT extension. Another script file is dropped to the user's StarUp folder as 'doctor.vbs'. As a last step the worm adds itself to the registry under the Run key as
After system is restarted once the mass-mailer part activates. First it sleeps for 20 seconds then it deletes the 'doctor.vbs' from the user's StartUp folder.
After this it checks if the Internet connection is available and goes to a wait loop if it's not. When the computer's Internet connection becomes active the worm connects to the Outlook Address Book and sends an infected e-mail to each address it finds there.
Script and macro part
When the system is restarted, the script in the user's startup folder will be executed. This script, 'doctor.vbs', will disable macro virus protection for both Microsoft Word 2000 and Word XP, and infects the Word's global template. After that Dotor works as macro virus, and will infect all documents opened thereafer.
When an infected document is opened, Dotor will disable the macro virus protection and drop the binary part as 'Doctor.exe' into Windows installation directory. This program is set to execute in the next system restart via registry. Finally the macro part will check if the global template is already infected and if it is not, it will be infected.
Technical Details: Gergely Erdelyi and Sami Rautiainen; F-Secure Corp.; June 28th, 2002