Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

W97M/Marker.A

This macro virus uses the "class" method of infection – it attacks the module "ThisDocument" which is present as a standard in each Word document or template. After opening an infected document the virus disables the Word anti-virus protection and tries to attack the global template NORMAL.DOT. For that purpose it creates the file netldv.vxd in the root directory of the disk C: and exports its body into it.
Peculiarity of this virus is that it stores data on the infected computers in the form of a log file. Individual records look as follows:

' 08:26:42 - Sonntag, 22 Nov 1998
' SPo0Ky
' Blue Planet

At any global template infection the virus adds to the log file time, date, name of the program user and its address as they are given at the Word installation. After infecting the global template the virus attacks all documents that are being saved if they are derived from that template. Here the virus also uses the file C:\netldv.vxd which it deletes after completing the infection of the document being saved. The virus finds out whether a document or global template have already been infected by the presence of the constant Marker with the value "<- this is a marker!".

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.