New virus threat is really an oldie…
Threat Name: W97M.Marker.gen
Location: htxp://abbynet.sd34.bc.ca/~clayburn6C/S05FE3FF8.1/clayburnhomereading.doc
Threat Name: W97M.Marker.gen
Location: htxp://abbynet.sd34.bc.ca/~clayburn6C/S05FE3FEA.3/translatingavoirvetecoleur.doc
Threat Name: W97M.Marker.gen
Location: htxp://abbynet.sd34.bc.ca/~clayburn6C/S05FE3FEA.2/lesvetementsvocab.doc
Threat Name: W97M.Marker.gen
Location: htxp://abbynet.sd34.bc.ca/~clayburn6C/S05FE4031.1/ch3vocab.doc
Threat Name: W97M.Marker.gen
Location: htxp://abbynet.sd34.bc.ca/~clayburn6C/S05FE4031.1/ch4vocabanswers.doc
So stay clear of this Canadian site, folks
This virus is an oldie, has been with us since 1999: http://computertimes.com/apr01forbeginner.htm
The W97M/Marker family hooks system events Document_Open and Document_Close to run the infection routine - this is common among all variants.
W97M/Marker.d (and several other variants) have an empty Document_New routine.
W97M/Marker.n modifies document properties in 30% of infections with same as W97M/Ethan.a.
W97M/Marker.o,.p,.x have a payload activation date of Feb 22 (see description in VIL).
W97M/Marker.o gives the message “Happy Birthday Shankar”.
W97M/Marker.s beeps 1000 times when opening documents.
W97M/Marker.t password protects documents with the password of ‘teste’.
W97M/Marker.ab writes a new file every time an infected document is opened by the name “india”#.txt with the text “Kashmir is an integral part of INDIA. JAI HIND.”
W97M/Marker.ac uses system events AUTOOPEN, AUTOCLOSE to run FNord macro.
W97M/Marker.af gives the message “Happy Birthday Akhmed Khan”.
W97M/Marker.ai gives the message “Happy Birthday Shankar” and also contains a reference to the same Autoopen macro as Beast.41472 activating an embedded object 5 minutes after opening the infected document - the embedded object does not exist however.,
nothing found: http://scanner.novirusthanks.org/analysis/acd80d86bb3ef0aed82e3bfcaf4f2a43/fmNsYXlidXJuNkM=/
polonus