W97M/Marker.C
Analysis
- Virus consists of one macro module within the class
storage
- Virus hooks Word event handlers which prevents
the closing of infected documents
- Polymorphic by inserting unique user information
as comment lines at end of virus code
- Virus searches the macro storage of host files
for the string
"<- this is a marker!"
which exists in the virus body, as a means to determine if the host file is already infected
- On 1st day of the month, virus checks for a registry
entry
HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\
User Info\LogFile = True-if the entry is not found, virus attempts to do the following:
- Creates a "log file" containing user
specific information as c:\hsf####.sys
- Creates an FTP script file as c:\netlhd.vxd
- Attempts to run a shell instance of FTP using
the script file to send the log file to a specific
FTP server however the server is no longer in
service
- Modifies the registry such that the virus will not attempt to FTP again
- Creates a "log file" containing user
specific information as c:\hsf####.sys
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |