F-Secure Virus Descriptions : Dotor

 Subject: NewTool for Word Macro Virus
 Body:

 This tool allows you to protect you against  unknown
 macro virus.

 Click on the attached file to run this freeware.

 Best Regards. Have a nice day

 Attachment: DocTor.exe

Binary part

The binary part of the worm drops the scripts and sends e-mails with infected attachments. When the infected attachment is started it copies itself to the Windows directory and 'Doctor.exe'. The worm body is then converted to a script file and dropped to C:\ with a random name and .TXT extension. Another script file is dropped to the user's StarUp folder as 'doctor.vbs'. As a last step the worm adds itself to the registry under the Run key as

 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DocTor'

After system is restarted once the mass-mailer part activates. First it sleeps for 20 seconds then it deletes the 'doctor.vbs' from the user's StartUp folder.

After this it checks if the Internet connection is available and goes to a wait loop if it's not. When the computer's Internet connection becomes active the worm connects to the Outlook Address Book and sends an infected e-mail to each address it finds there.

Script and macro part

When the system is restarted, the script in the user's startup folder will be executed. This script, 'doctor.vbs', will disable macro virus protection for both Microsoft Word 2000 and Word XP, and infects the Word's global template. After that Dotor works as macro virus, and will infect all documents opened thereafer.

When an infected document is opened, Dotor will disable the macro virus protection and drop the binary part as 'Doctor.exe' into Windows installation directory. This program is set to execute in the next system restart via registry. Finally the macro part will check if the global template is already infected and if it is not, it will be infected.

[Analysis: Gergely Erdelyi and Sami Rautiainen; F-Secure Corp.; June 28th, 2002]