Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W97M/Marker.DJ

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload
Detection files published
Description created 28 Aug 2000 03:00:00
Description updated 15 Nov 2001 04:56:00
Malware type VIRUS
Alias
Spreading mechanism FILE_INFECTION
Summary None

W97M/Marker.DJ

Spreading

W97M/Marker.DJ is a small virus. The first actions taken by the virus is disabling the Virus protection in Word. After that, the virus will perform its payload. This is done every 1st of the month. Next, W97M/Marker.DJ will check if the global template Normal.Dot is already infected and if the opened document is already infected. To prevent re-infection, the virus uses a constant marker at the start of the viral code. If the template or document does not contain the marker, they will be infected. Otherwise they will be infected, and the virus will add a new entry to the infection log it carries around. The new entry consists of the time and date of infection, the user name and user address.

Payload Details

the virus will check the registry key


HKEY_CURRENT_USER\Software\Microsoft\
MS Setup (ACME)\User Info\LogFile When the key does not exist, or the value is False, the virus will perform an ftp session. It will transfer the infection log file to the "Incoming" directory of the ftp site. The entire session is harmless, but of course, the individual behind this ftp site, most likely the author, can monitor who is infected and what way the virus traveled. As the last action of the payload, it will set the registry key to True so the infection log file is only sent once.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:10