W32.Dotor.A@mm


Aliases:  Email-Worm.Win32.Dotor, W32/DoTor@MM, W32.Dotor.A@mm, Worm/Doctor, W32/Dotor-A
Variants: WORM_DOTOR.A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 24 Jun 2002
Damage: Medium

Characteristics: W32.Dotor.A@mm worm infects computers through the use of an email message. It is considered as a mass-mailing worm that automatically sends itself to all of the compromised computer’s Microsoft Outlook contacts. Email characteristics contain the subject “NewTool for Word Macro Virus," and the attachment is Doctor.exe. In the message body, it displays the following context, “This tool allows you to protect you against unknown macro virus. Click on the attached file to run this freeware."

More details about W32.Dotor.A@mm

It affects all Windows system by creating a .vbs script file in the Windows start menu programs. It is said that it infects the Microsoft Word global template known as Normal.dot. It is also described as a multi-component email worm. This means that this worm spreads through packed executable file or what we normally know as word document. Upon opening or executing this file, the worm automatically installs itself on the compromised computer. Registry files or keys are also altered, which means that it also patches itself to Windows registry folders and sets a Registry key in order to run the worm at startup. You may see a Doctor.exe file on the windows directory.

The connection settings used by the W32.Dotor.A@mm program is configured on the client module. A single client can be used to control several server modules. The client component allows the remote user to specify the Internet Protocol (IP) address of the computer to be monitored. It has a control interface which allows the remote hacker to access different resources on the user’s computer. The client module may be used to kill processes on the user’s computer. It may also be used to uninstall the server component.