On its first execution, this worm copies itself to a DOCTOR.EXE file in the Windows directory. Then, it creates the following registry entry so that its copy executes upon Windows startup:
DocTor = %windows%\doctor.exe /newrun
When the infected system is restarted and this worm is executed the second time around, it searches for and then infects the Microsoft Word Global template. After infecting the Global template, it infects all active .DOC files.
Trend Micro antivirus detects Infected doc files as W97M_DOTOR.A.
This worm uses Messaging Application Interface (MAPI) to propagate copies of itself via email. It sends an email message with the following format to all addresses listed in the infected user's contact list:
Subject: NewTool for Word Macro Virus
Message Body: This tool allows you to protect you against unknown macro virus.
Click on the attached file to run this freeware.
Best Regards. Have a nice day.