VirusW97M/Marker.C
Analysis
- Virus consists of one macro module within the class
storage
- Virus hooks Word event handlers which prevents
the closing of infected documents
- Polymorphic by inserting unique user information
as comment lines at end of virus code
- Virus searches the macro storage of host files
for the string
"<- this is a marker!"
which exists in the virus body, as a means to determine if the host file is already infected
- On 1st day of the month, virus checks for a registry
entry
HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\
User Info\LogFile = True-if the entry is not found, virus attempts to do the following:
- Creates a "log file" containing user
specific information as c:\hsf####.sys
- Creates an FTP script file as c:\netlhd.vxd
- Attempts to run a shell instance of FTP using
the script file to send the log file to a specific
FTP server however the server is no longer in
service
- Modifies the registry such that the virus will not attempt to FTP again
- Creates a "log file" containing user
specific information as c:\hsf####.sys
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extreme | |
| FortiClient | |
| Extended | |
| FortiMail | |
| Extended | |
| FortiSandbox | |
| Extended | |
| FortiWeb | |
| Extended | |
| Web Application Firewall | |
| Extended | |
| FortiIsolator | |
| Extended | |
| FortiDeceptor | |
| Extended | |
| FortiEDR |