New virus threat...or "a virus with a long, long beard"

New virus threat is really an oldie…

Threat Name: W97M.Marker.gen
Location: htxp://abbynet.sd34.bc.ca/~clayburn6C/S05FE3FF8.1/clayburnhomereading.doc

Threat Name: W97M.Marker.gen
Location: htxp://abbynet.sd34.bc.ca/~clayburn6C/S05FE3FEA.3/translatingavoirvetecoleur.doc

Threat Name: W97M.Marker.gen
Location: htxp://abbynet.sd34.bc.ca/~clayburn6C/S05FE3FEA.2/lesvetementsvocab.doc

Threat Name: W97M.Marker.gen
Location: htxp://abbynet.sd34.bc.ca/~clayburn6C/S05FE4031.1/ch3vocab.doc

Threat Name: W97M.Marker.gen
Location: htxp://abbynet.sd34.bc.ca/~clayburn6C/S05FE4031.1/ch4vocabanswers.doc

So stay clear of this Canadian site, folks
This virus is an oldie, has been with us since 1999: http://computertimes.com/apr01forbeginner.htm
The W97M/Marker family hooks system events Document_Open and Document_Close to run the infection routine - this is common among all variants.

W97M/Marker.d (and several other variants) have an empty Document_New routine.
W97M/Marker.n modifies document properties in 30% of infections with same as W97M/Ethan.a.
W97M/Marker.o,.p,.x have a payload activation date of Feb 22 (see description in VIL).
W97M/Marker.o gives the message “Happy Birthday Shankar”.
W97M/Marker.s beeps 1000 times when opening documents.
W97M/Marker.t password protects documents with the password of ‘teste’.
W97M/Marker.ab writes a new file every time an infected document is opened by the name “india”#.txt with the text “Kashmir is an integral part of INDIA. JAI HIND.”
W97M/Marker.ac uses system events AUTOOPEN, AUTOCLOSE to run FNord macro.
W97M/Marker.af gives the message “Happy Birthday Akhmed Khan”.
W97M/Marker.ai gives the message “Happy Birthday Shankar” and also contains a reference to the same Autoopen macro as Beast.41472 activating an embedded object 5 minutes after opening the infected document - the embedded object does not exist however.,

nothing found: http://scanner.novirusthanks.org/analysis/acd80d86bb3ef0aed82e3bfcaf4f2a43/fmNsYXlidXJuNkM=/

polonus

an Oldie…but still not a 100% score… ???

VirSCAN - clayburnhomereading.doc - 26/36
http://virscan.org/report/7a9bb974fdf7b6e8d009d66e9e84fc74.html

VirusTotal - clayburnhomereading.doc - 30/41
http://www.virustotal.com/analisis/f2b01ae3ac8eeb94c5c77977a4bebad8614af6d13c7ab3740572c72ff80f48d8-1275953111