Proactive IT Security
 

W97M/Marker.DJ

Threat risk

Threat risk low
Detection files published:
Jun 2000
Description created:
2000-08-29
Description updated:
2001-11-15
Malware type:
Virus
Alias:
Spreading mechanism
File Infection
Payload:

Spreading description

W97M/Marker.DJ is a small virus. The first actions taken by the virus is disabling the Virus protection in Word. After that, the virus will perform its payload. This is done every 1st of the month. Next, W97M/Marker.DJ will check if the global template Normal.Dot is already infected and if the opened document is already infected. To prevent re-infection, the virus uses a constant marker at the start of the viral code. If the template or document does not contain the marker, they will be infected. Otherwise they will be infected, and the virus will add a new entry to the infection log it carries around. The new entry consists of the time and date of infection, the user name and user address.

Threat description

the virus will check the registry key

 

HKEY_CURRENT_USER\Software\Microsoft\
   MS Setup (ACME)\User Info\LogFile

When the key does not exist, or the value is False, the virus will perform an ftp session. It will transfer the infection log file to the "Incoming" directory of the ftp site. The entire session is harmless, but of course, the individual behind this ftp site, most likely the author, can monitor who is infected and what way the virus traveled. As the last action of the payload, it will set the registry key to True so the infection log file is only sent once.
 

Print page