W97M/Marker.FQ
Analysis
This macro virus for MS Word documents infects files when opening or closing an infected document. Once an infected document is opened and closed, it could infect the global template. This virus affects Word environments that do not have high security enabled.
This virus hooks the Word event handlers for opening or closing documents. The virus exists in the first available code module, normally reserved for Class modules. In this variant, the Class module is identified by the name "ThisDocument".
Payload
On the 1st of any month when opening an infected document, a series of message
boxes may be displayed with text in a non-English language such as Korean.
- The virus will display a message box with choices A B C or D. If the user picks choice B, a simple message box is displayed and the infection routine runs.
- Otherwise, a new message box with more choices of A B C or D is displayed. If the user picks choice C, another simple message box is displayed and the infection routine runs.
- Otherwise, a new message box is displayed and the document is then
- saved as "c:\lzc.vxd" and
- the document is saved and closed without warning
Miscellaneous
The virus determines if the first code module is infected with its code by checking
for the presence of a "marker" containing specific text. If the comment
line text is not present, the virus assumes the target is not infected. The
virus checks for this text -
"³¤°²¹«Ë¾ÆûÑÐËù ³£Ê¶¿Î"
Recommended Action
- check the main screen using the web interface to
ensure the latest AV/NIDS database has been downloaded
and installed -- if required, enable the "Allow
Push Update" option
FortiGate systems:
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |