WORM_DOTOR.A

Malware type: Worm

Aliases: Email-Worm.Win32.Dotor (Kaspersky), W32/DoTor@MM (McAfee), W32.Dotor.A@mm (Symantec), Worm/Doctor (Avira), W32/Dotor-A (Sophos),

In the wild: No

Destructive: No

Language: English

Platform: Windows

Encrypted: No

Overall risk rating:

Description: 
This mass-mailing worm arrives as the attachment, DOCTOR.EXE, to an email message. It sends an email message with the following format to all addresses listed in the infected user's contact list:

Subject: NewTool for Word Macro Virus
Message Body: This tool allows you to protect you against unknown macro virus.
Click on the attached file to run this freeware.
Best Regards. Have a nice day.
Attachment: DocTor.exe

For additional information about this threat, see:

Description created: Jun. 23, 2002 5:30:23 PM GMT -0800
Description updated: Jun. 24, 2002 2:34:50 AM GMT -0800


TECHNICAL DETAILS


Size of malware: UPX compressed=11,776 Bytes
Non-UPX compressed=40,960 Bytes

Initial samples received on: Jun 23, 2002

Related toW97M_DOTOR.A

Details:
On its first execution, this worm copies itself to a DOCTOR.EXE file in the Windows directory. Then, it creates the following registry entry so that its copy executes upon Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
DocTor = %windows%\doctor.exe /newrun

When the infected system is restarted and this worm is executed the second time around, it searches for and then infects the Microsoft Word Global template. After infecting the Global template, it infects all active .DOC files.

Trend Micro antivirus detects Infected doc files as W97M_DOTOR.A.

This worm uses Messaging Application Interface (MAPI) to propagate copies of itself via email. It sends an email message with the following format to all addresses listed in the infected user's contact list:

Subject: NewTool for Word Macro Virus
Message Body: This tool allows you to protect you against unknown macro virus.
Click on the attached file to run this freeware.
Best Regards. Have a nice day.
Attachment: DocTor.exe


SOLUTION


Minimum scan engine version needed: 5.200

Pattern file needed: 1.304.00

Pattern release date: Jun 23, 2002


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Removing Autostart Entries from the Registry

Removing autostart entries from registry prevents the malware from executing during startup. This is also an effective malware process termination procedure.

  1. Open Registry Editor. Click Start>Run, type REGEDIT then hit the enter key.
  2. In the left panel, double click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry or entries whose data value is the malware path and filename :
    DocTor = %windows%\Doctor.exe /newrun

    *Where %windows% is the Windows directory, which is usually C:\Windows or C:\WINNT.

    Running Trend Micro Antivirus

    Scan your system with Trend Micro antivirus and delete all files detected as WORM_DOTOR.A. To do this Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.