Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W97M/Marker.BQ


Threat Risk LOW LOW
Destructivity LOW LOW
Detection files published 05 Jan 2000 03:00:00
Description created 06 Jan 2000 03:00:00
Description updated 06 Jan 2000 03:00:00
Malware type VIRUS
Spreading mechanism FILE_INFECTION
Summary None



W97M/Marker.BQ is a small virus. The first actions taken by the virus is disabling the virus protection in Word. After that, the virus will drop its payload. This is done every time a document or template are opened. Next, W97M/Marker.BQ will check if the global template Normal.Dot is already infected and if the opened document is already infected. To prevent re-infection, the virus uses a constant marker at the start of the viral code. If the template or document do not contain the marker, they will be infected.At the end of the viral code, the author left a message that reads:Virus Created By An Indian Citizen

Payload Details

W97M/Marker.BQ contains one payload.

Every time a document template is opened, the virus will generate a partially random filename. The filename is constructed as

"CMC" + Str (32768 * Rnd) + ".txt" This will generate file names with the format CMC xxxx.xx.txt where 'x' can be any digit in the sequence 0-9. The file will contain the next single text line

Railways is an integral part of CMC LTD. JAI CMC Since the virus will do this every time it opens a document or template, the current document folder, usually the "My Documents", will fill up rather fast with these files. Every time Microsoft Word is loaded, it opens Normal.Dot and by default creates yet another file. If documents are stored on a shared server where everybody have to store their documents, the payload can eat up storage resources rather fast.

A second payload in the virus is not active, as it has been commented out. If the comment should be removed, however, the W97M/Marker.BQ would start an FTP session and use the generated text file as a command file. Since the generated text file does not contain any ftp commands, this operation would fail. Nevertheless, the virus can be altered in such a way that the generated text file does contain correct ftp commands with all possible problems as the outcome. The virus may ftp confidential and restricted documents to a certain site.





Last Updated: 12 Nov 2015 11:06:11