W97M_DOTOR.A

Malware type: Macro

Aliases: W97M/Generic (McAfee), W97M.Dotor.A@mm (Symantec), W2000M/Bumdoc.A (Avira), WM97/Dotor-A (Sophos),

In the wild: No

Destructive: No

Language: English

Platform: Windows

Encrypted: No

Overall risk rating:

Description: 
This macro virus infects Word document files and drops the WORM_DOTOR.A. It does not have a destructive payload.

For additional information about this threat, see:

Description created: Jun. 23, 2002 5:33:53 PM GMT -0800
Description updated: Jun. 24, 2002 3:26:47 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 16,335 Bytes

Initial samples received on: Jun 23, 2002

Related toWORM_DOTOR.A

Details:
This macro virus infects the Microsoft Word global template, NORMAL.DOT and then infects all succeeding DOC files that are opened on the infected system. It also lowers the macro security level on Microsoft Word versions 9.0 or 10.0. This means that whenever an infected DOC file is opened, this macro virus automatically executes without prompting the user. To accomplish this, it sets the level of the registry entry as follows to 1:

On version 9.0

HKEY_CURRENT_USER\Software\Microsoft\
Office \9.0\Word\Security,
Level = 1

On version 10.0

HKEY_CURRENT_USER\Software\Microsoft\
Office \10.0\Word\Security,
Level = 1

After making the registry modifications, it drops the worm file, DOCTOR.EXE, in the Windows folder. Trend Micro antivirus detects DOCTOR.EXE as WORM_DOTOR.A.


SOLUTION


Minimum scan engine version needed: 5.200

Pattern file needed: 1.304.00

Pattern release date: Jun 23, 2002


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as W97M_DOTOR.A. To do this Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.

Allowing Only Signed/Trusted Macros To Run

  1. Open Registry Editor.
    Click Start>Run, type REGEDIT then hit the Enter key.
  2. In the left panel, double click the following:
    HKEY_CURRENT_USER >Software>Microsoft>
    Office>9.0>Word>Security
  3. In the right panel, double-click the registry name Level and change its value to 3.
  4. Again in the left panel, double click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Office>10.0>Word>Security
  5. In the right panel, double-click the registry name Level and change its value to 3.



Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.