Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


This is a macro virus derived from W97M/Marker.A. It uses the "class" method of infection – it attacks the module "ThisDocument" which is present as a standard in each Word document or template. After opening an infected document the virus turns off the Word anti-virus protection and tries to attack the global template NORMAL.DOT. For that purpose it creates file hsfXXXX.sys in the disk C: root directory and exports its body into it. The virus substitutes characters XXXX by randomly generated numbers. As a next file it creates the file C:\netldx.vxd into which it writes the following text:

user anonymous
pass itsme@
cd incoming
put hsfXXXX.sys

Like the virus W97M/Marker.A, it also keeps record of already infected computers. Individual records look as follows:

' 08:26:42 - Sonntag, 22 Nov 1998
' SPo0Ky
' Blue Planet

At any global template infection the virus adds to the log file time, date, name of the program user and its address as they are given at the Word installation. After infecting the global template the virus attacks all documents that are being saved if they are derived from that template. The virus finds out whether a document or global template have already been infected by the presence of the constant Marker with the value "<- this is a marker!".
This version of the virus W97M/Marker has improved the way of working with the log file. If there is no key Logfile with value True in the HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info and it is the first day of a month it tries to implement commands contained in the file C:\netldx.vxd by means of ftp and send the log file to the server with IP address into the directory incoming.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.