Classification

Category :

Malware

Type :

Worm

Aliases :

Dotor, W32.Dotor

Summary

Dotor is a mass-mailer worm with several different components. The UPX packed body of the worm is around 11 kilobytes in size that is 40 kilobytes unpacked. Dotor attempts to send itself to all the addresses found in the Microsoft Outlook Address Book.

Messages sent by the worm are composed as follows.

Subject: NewTool for Word Macro Virus
 Body:
 This tool allows you to protect you against  unknown
 macro virus.
 Click on the attached file to run this freeware.
 Best Regards. Have a nice day
 Attachment: DocTor.exe

Removal

Based on the settings of your F-Secure security program, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Binary part

The binary part of the worm drops the scripts and sends e-mails with infected attachments. When the infected attachment is started it copies itself to the Windows directory and 'Doctor.exe'. The worm body is then converted to a script file and dropped to C:\ with a random name and .TXT extension. Another script file is dropped to the user's StarUp folder as 'doctor.vbs'. As a last step the worm adds itself to the registry under the Run key as

'HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DocTor'

After system is restarted once the mass-mailer part activates. First it sleeps for 20 seconds then it deletes the 'doctor.vbs' from the user's StartUp folder.

After this it checks if the Internet connection is available and goes to a wait loop if it's not. When the computer's Internet connection becomes active the worm connects to the Outlook Address Book and sends an infected e-mail to each address it finds there.

Script and macro part

When the system is restarted, the script in the user's startup folder will be executed. This script, 'doctor.vbs', will disable macro virus protection for both Microsoft Word 2000 and Word XP, and infects the Word's global template. After that Dotor works as macro virus, and will infect all documents opened thereafer.

When an infected document is opened, Dotor will disable the macro virus protection and drop the binary part as 'Doctor.exe' into Windows installation directory. This program is set to execute in the next system restart via registry. Finally the macro part will check if the global template is already infected and if it is not, it will be infected.