Threat behavior
Virus:W97M/Marker.T is a Microsoft Word macro virus that infects Word documents and templates. This virus attempts to disable macro content warnings from Microsoft Word.
Installation
When Virus:W97M/Marker.T is initially executed it turns off Microsoft Word's Virus Protection. The malware is then executed every time the Document_Close funtion is called, hence, the virus is executed when documents are closed.
Virus:W97M/Marker.T checks if it is the first day of the month and that the following registry value holds before proceeding:
HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info\"LogFile" = "False"
Once this condition has been satisfied it infects the Normal Template and all active documents. The virus is then executed every time an infected file is closed.
Infected documents contain the following string "<- this is a marker!" in the VBA code, which also serves as the infection marker for the virus (hence the virus name).
Payload
-
An unnoticeable event and payload that occurs is that the virus appends details as comments at the end of the macro code. The details include data used in system and Microsoft Word elements, and are represented by the following variables:
Time - Date
User Name
User Address (Mailing Address)
The following are examples of comments appended to the VBA macro code of the virus:
' Logfile -->
' 09:08:36 - Saturday, 28 Nov 1998
' SPo0Ky
' Blue Planet
' 12:50:27 PM - Thursday, 7 Jan 1999
' Joe Blow
' Chicago Illinois
-
User data may be stored into a text file named 'C:\hsf[4 random numbers].sys'. This data is similar to the comments appended to the macro code of the virus (as above). Marker.T then pipes FTP command instructions as a text file into 'C:\netldx.vxd', and then may try to upload the captured user data to an external FTP address using ftp.exe and c:\netldx.vxd.
The virus is coded to connect to the remote IP address 209.201.88.110 and upload data to the folder 'incoming', using a specific logon account name and password.
Prevention
