W97M/Marker (also known as HSFX) is a polymorphic Word 97 macro virus. Some variants of it collects the user information from Word and use FTP to send it over the internet.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
W97M/Marker.A is polymorphic. The polymorphism consists of adding a log at the end of the virus body for every infected user. This log contains information for system time, date, users name and address.
The virus contains an infection marker in the beginning of its code:
<- this is a marker!
W97M/Marker.A saves its in a file called c:\netldv.vxd. To infect documents the virus export its code from global template to this file and after that deletes the file, so the user can't find it.
This version creates two files:
C:\HSF****.SYS (where **** are random characters)
The first file is used to store the virus code and to add the log information. In this variant the log part starts with:
The second file contains the actual code of the virus.
It tries to upload the logfile to a virus exchange ftp site, codebreakers.org. This behaviour is similar to W97M/Caligula.
This happens on the 1st of every month.
This variant is also known as "HSFX" because of the temporary file it creates is called "C:\HSFX****.SYS". Otherwise it's similar to Marker.C.
This variant contains this text:
<- this is another marker!
When an infected document is closed, W97M/Marker.O will infect the global template and every closed document thereafter.
It contains a payload that is activated at every day from July 23rd to July 25th. At this time, the virus shows a dialog with the following text:
Did You Whish Shankar on his Birthday ?
If the user was opening the infected document, the no futher action will be taken regardless of which button, "Yes" or "No", is selected.
However, if the message appears when an infected document is closed, and the user selects "Yes" button, then the following message will be shown:
Thank You! I Love You. You are wonderfull.
If the "No" button is selected, then the following message appears:
You are Heart Less.You Will Be Punished For This
Additionally, every document created during the time period mentioned above will contain the following text in big, green letters:
Happy BirthDay Shankar
When this virus infects documents or templates, it also alters the document summary information:
Title:Are You suprised ? Subject: Birthday Author: LSK Category: You Are Infected Keywords: Birthday Comments: Shankar's Birthday falls on 25th July. Don't Forget to wish him.
This variant is a mixture of two viruses: the replicating mechanism is from Marker.C and the payload is from Ethan.A. Instead of Marker.C this variant is not polymorphic.
This variant is functionally identical with W97M/Marker.C.
W97M/Marker.X uses a similar polymorphism as W97M/Class.D does and it contains an destructive payload which is activated at February 22nd, when the virus deletes all files from the root of the "C:" drive and shows a message box with the following header:
and the text:
The virus also hooks the "Tools/Macros/Macro" and "Tools/Macros/Visual Basic Editor" menus replacing them with a message box with the text:
Error - Not enough memory!
W97M/Marker.Z is a modified variant of W97M/Marker.A.
The infection marker has been changed to:
<- You didn't count on that, Jaba the Hutt!
Also the name of the file that the virus creates has been changed to "c:\zbf****.sys" where the asterisk ("*") is replaced with a random character.
W97M/Marker.AE is functionally identical with W97M/Marker.O.
This variant is similar to W97M/Marker.O.
W97M/Marker.AN is a slightly modified variant of W97M/Marker.W.
W97M/Marker.AQ uses the same kind of polymorphism as W97M/Marker.A. However, this variant uses a different infection marker at the beginning of the virus code:
This virus also contains two destructive payloads. At 15th day of each even month, the virus deletes the contents of the entire active document; and at 13th day of each month, it changes the font of the active document to "Webdings".
This variant infects when a document is opened or closed. It does not create any temporary files.
W97M/Marker.AR is a sligtly modified variant of W97M/Marker.W.
This variant activates its payload after June 2000. Than it change the file open directory to "C:\Windows\" and saves the active document as "AAiAA.DOC" where "i" is a number from 1 To 999999991. As a polymorphism it adds a log on the top of its code that contain information for the user's name, initials and address.
W97M/Marker.BO contains a destructive payload.
When an infected document is opened or closed, the virus first deletes all documents and templates from the Word's startup directory.
Next it alters the Word's user information as follows:
User name:JonMMx 2000 User initials: MeMeX Address: JonMMx2000@yahoo.com
Later the virus uses this data to create a log at the end of its code. As a result of this sequence the log that suppose to collect information for all infected users contains almost the same data (except the day and time).
If the day of the week is Sunday, W97M/Marker.BO drops a file "Jon.html" to the Windows directory and modifies the system registry in such way that this file will be used as a wallpaper. This wallpaper contains the following dark red text in an yellow backround:
a Poet For My Dear Love Dear Iin To the very best that happen in mylife Long ago and in my mind, I can see your face lonely and lost in time You were gone since yester month But the memories, never would dissapear I think of you, I THINK OF YOU. Yes it's true I can pretend. But the paint of blue, keep beat me till the end. Yes it's hard to understand. Why you leaving me and all we dreaming on Dear Iin, I close my eyes and see your face. That's all I have to do to be with you. Dear Iin, altough I can not touch your face. I know what I can do to be with you Long ago so faraway. But the light of blue, still living with me today. You were gone since yester month. But the memories never would dissapear. Speed Hari
W97M/Marker.DD is a modification of W97M/Marker.BO. This variant does not delete files from the Word startup directory and the user information that it uses is different:
UserName: fs080298 UserInitials: FS2000 UserAddress: email@example.com
The desktop wallpaper is replaced always with a html page that has the following content:
Have a Nice Day ! - Don't Forget to Save Your Data... Email Me !
This html page is located at "c:\windows\system\EmailMe.html".
W97M/Marker.GR infects the global template when an infected document is opened. Is not polymorphic. However, when it infects, it creates a text file to the current directory with the following content:
Railways is an integral part of CMC LTD. JAI CMC
The file name contains characters "CMC", a random number and extension ".txt", for example "CMC2324.txt".
The virus also contains the following comment:
Virus Created By An Indian Citizen
W97M/Marker.GT is similar variant with W97M/Marker.BO. It contains the same destructive payload, but the user information is modified to:
User name: VingEMW User initials: VE
This variant does not drop or show a HTML file.