Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

W97M/Marker.D

W97M/Marker.D is a macro virus operating in the Microsoft Word 97 environment. It uses the "class" method of infection – it attacks the module "ThisDocument" which is present as a standard in each Word document or template. It attacks the global template normal.dot and Word documents. It is derived from the virus W97M/Marker.A.
Unlike the W97M/Marker.A this variant creates on Sunday, depending on the value of the item LogUploaded of the key HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info in the system registry the file c:\hsfx????.sys into which it exports its “log” about the course of infection. Instead of the question marks in the filename it uses random characters. Then the virus creates script for FTP in the file c:\netldv.vxd and sends the file c:\hsfx????.sys to a preselected address.
In the end it attacks the global template and the active document but it does not export its code into any file.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.