The binary part of the worm drops the scripts and sends e-mails
with infected attachments. When the infected attachment is started
it copies itself to the Windows directory and 'Doctor.exe'. The
worm body is then converted to a script file and dropped to C:\
with a random name and .TXT extension. Another script file is
dropped to the user's StarUp folder as 'doctor.vbs'. As a last
step the worm adds itself to the registry under the Run key as
After system is restarted once the mass-mailer part activates.
First it sleeps for 20 seconds then it deletes the 'doctor.vbs'
from the user's StartUp folder.
After this it checks if the Internet connection is available
and goes to a wait loop if it's not. When the computer's Internet
connection becomes active the worm connects to the Outlook Address
Book and sends an infected e-mail to each address it finds there.
Script and macro part
When the system is restarted, the script in the user's startup folder
will be executed. This script, 'doctor.vbs', will disable macro virus
protection for both Microsoft Word 2000 and Word XP, and infects the
Word's global template. After that Dotor works as macro virus, and
will infect all documents opened thereafer.
When an infected document is opened, Dotor will disable the macro
virus protection and drop the binary part as 'Doctor.exe' into Windows
installation directory. This program is set to execute in the next
system restart via registry. Finally the macro part will check if the
global template is already infected and if it is not, it will be