Marker | |
---|---|
Type | Macro virus |
Creator | |
Date Discovered | < 1999.06.03 |
Place of Origin | |
Source Language | Basic |
Platform | MS Word |
File Type(s) | .doc |
Infection Length | |
Reported Costs |
Marker is a macro virus from the late 1990's. Like many Macro viruses, it produced numerous variants. Its infection method is quite similar to Class. It also displays some similarities to Caligula and Ethan.
Behavior
Marker saves its code in a file named c:\netldv.vxd.
Marker keeps a log of the time and date of its infection. It is located at the end of the virus body. By some researchers' standards, this constitutes a form of polymorphism. On the first of the next month, it will upload this information to an FTP site. It creates a registry key value named LogFile in HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info to make sure it only does this once for each computer.
Variants
Like many macro viruses, Marker produced enough variants to wrap around the alphabet several times. Only a few of the different variants are particularly notable.
Marker.C
This variant creates a file named C:\HSF.SYS (each * represents a random character). This file stores the log information separately from the virus.
Marker.O
Marker.O, also known as Shankar's virus, was discovered in 1999 on June 3rd. It will infect the global template and every closed document when an infected document is closed. On from the 23rd to 25th of July, it displays a message asking if one wants to wish Shankar a happy birthday. If the user was opening an infected document, no further action will be taken whether the user answers yes or no. If the user was closing an infected document, it will show grartitude when the user answers affirmatively and gives a vague threat if not. It adds "Happy Birthday Shankar" in green text to every document.
It alters documents and templates with the following summary information:
- Title: Are You suprised ?
- Subject: Birthday
- Author: LSK
- Category: You Are Infected
- Keywords: Birthday
- Comments: Shankar's Birthday falls on 25th July.
Don't Forget to wish him.
Marker.Q
This variant is not considered polymorphic. It has the same payload of the Ethan virus, deleting files associated with the Class virus.
Marker.X
Marker.X uses a similar polymorphism as Class.D. It also has a destructive payload that deletes all files from from the root of drive C:. It displays a box with the title "It's Murder" and the text "That's Right". It also hooks the "Tools/Macros/Macro" and "Tools/Macros/Visual Basic Editor" menus replacing them with a message box with the text "Error - Not enough memory!".
Marker.X
This variant's marker is changed to " <- You didn't count on that, Jaba the Hutt!". The name of the file containing viral code at the root of C: is changed to zbf.sys.
Marker.AQ
This variant changes the font of the active document to Webdings on the 13th of every month. On the 15th of any even month, it deletes the contents of the active document. It infects documents as they are opened or closed.
Marker.BN
Marker.BN activates a payload after June of 2000. It changes the file open directory to the Windows folder and saves the active document to AA#AA.DOC (# can be any number from 1 to 999999991).
Marker.BO
This variant contains a destructive payload. When an infected document is opened or closed, the virus deletes all documents and templates from Word's start directory. It then alters Word's user name to JonMMx 2000, initials to MeMeX and email address to JonMMx2000@yahoo.com. The virus attempts to collect information from all infected users on the computer.
On Sunday, this variant drops a file named Jon.html in the Windows folder. It modifies a registry key that uses the file as wallpaper. The file has a poem in dark red text on a yellow background.
a Poet For My Dear Love
Dear Iin
To the very best that happen in mylife
Long ago and in my mind, I can see your face lonely and lost in time
You were gone since yester month But the memories, never would dissapear
I think of you, I THINK OF YOU.
Yes it's true I can pretend. But the paint of blue, keep beat me till the end.
Yes it's hard to understand. Why you leaving me and all we dreaming on
Dear Iin, I close my eyes and see your face. That's all I have to do to be with you.
Dear Iin, altough I can not touch your face. I know what I can do to be with you
Long ago so faraway. But the light of blue, still living with me today.
You were gone since yester month. But the memories never would dissapear.
Speed Hari
Marker.DD
This is considered a subvariant of BO. It alters Word's user name to fs080298, initials to FS2000 and email address to fs080298@hotmail.com The HTML file it uses as wallpaper is located in the System folder as EmailMe.html and contains the text:
Have a Nice Day ! - Don't Forget to Save Your Data...
Email Me !
Marker.GR
This variant infects the global template when an infected document is opened. It saves a text file to the current working directory with the text "Railways is an integral part of CMC LTD. JAI CMC". The file name is CMC####.txt. The virus contains the comment "Virus Created By An Indian Citizen". CMC is an IT training institute in Jaipur, India.
Name and Origin
The original Marker contains the text string "<- this is a marker!". This "marks" the beginning of the viral code. Though it shares similarities with some viruses from VicodenES and Codebreakers, no definitive origin can be found.
Sources
Katrin Tocheva, Sami Rautiainen. F-Secure Antivirus, Marker.
Jennifer Hirons. Symantec, W97M.Marker.
SRN Microsystems. Solo Antivirus, W97M/Marker.