VirusW97M/Marker.BN
Analysis
- Virus consists of one macro module within the class
storage
- Virus hooks Word event handlers which prevents
the closing of infected documents
- Polymorphic by inserting unique user information
as comment lines at beginning of virus code
- Attempts to create 999,999,991 infected documents
in the Windows folder named AA1AA.doc, AA2AA.doc,
AA3AA.doc, AA4AA.doc and so on during the months of
July through December if the year is after 1999
- Virus searches the macro storage of host files
for the string
"la macro de Colombia"
which exists in the virus body, as a means to determine if the host file is already infected
