For the Beginner
Go to front page
Understanding Computer Viruses
In its simplest form, a computer virus is a small program written to annoy a user or to destroy or alter computer data, operating without the consent or knowledge of the user. It spreads by attaching a copy of itself to some part of a program file, such as a game or a business application. Viruses can also attack boot records and master boot records, which contain the information a computer uses to start up. Macro viruses attack such files as word processing documents or spreadsheets.
There are three virus terms you may encounter in reading about viruses: worm, Trojan horse, and logic bombs.
A worm is a program that:
A Trojan horse is a computer program that carries a virus or a worm. It may be a free game program, a low cost version of a popular program, or even a new disk from a manufacturer.
A logic bomb is a small program attached to a virus, a worm, or a Trojan horse, that triggers when the destruction will begin. It may go off on a certain date, when a certain log on procedure occurs, when some other event takes place inside your computer, or at any other time set by the programmer of the virus. Computer viruses can enter your system through BBS or Internet downloads, through networks, through shared hard drives, and through any disk you load into your system. Some viral infections have even come from original factory software.
How do you know if you have a virus in your computer? Symptoms of a virus include:
If you suspect a virus, don't panic. There are anti-virus programs available to detect and destroy most viruses and keep your system safe. The best we have found for the price is Expert Software's Expert Anti-Virus, which sells for $14.99 and includes unlimited free updates via the Internet. To test this product, we deliberately infected a computer with a virus to see how this program would operate. We then installed the software, which immediately indicated on the screen that we needed to download (free) updates from the Internet site indicated. As soon as the 15-minute update was completed, we ran the program manually. It did indeed find the infected file we intentionally contaminated our computer with, along with five others we didn't know about! All six files had the same virus, W97M/Marker.gen. Below this article we have included full information about the W97M/Marker.gen virus, just in case you happen to be an advanced user reading this beginner's article. . Click here to see our review of Expert Anti-Virus.
The best possible protection against viruses is to back up your critical files so you can reload them if they are destroyed. We wish you a safe computing experience.
To save yourself some time and money, you may wish to shop online at the Internet Shopping Outlet that offers some great prices on hardware, software and books. So, click here to check out their products and prices.
Till next month . . .
Happy Computing! J
Go to top of page
Virus Profile for the virus named W97M/Marker.Gen
The W97M/Marker family hooks system events Document_Open and Document_Close to run the infection routine - this is common among all variants.
W97M/Marker.d (and several other variants) have an empty Document_New routine.
W97M/Marker.n modifies document properties in 30% of infections with same as W97M/Ethan.a.
W97M/Marker.o,.p,.x have a payload activation date of Feb 22 (see description in VIL).
W97M/Marker.o gives the message "Happy Birthday Shankar".
W97M/Marker.s beeps 1000 times when opening documents.
W97M/Marker.t password protects documents with the password of 'teste'.
W97M/Marker.ab writes a new file every time an infected document is opened by the name "india"#.txt with the text "Kashmir is an integral part of INDIA. JAI HIND."
W97M/Marker.ac uses system events AUTOOPEN, AUTOCLOSE to run FNord macro.
W97M/Marker.af gives the message "Happy Birthday Akhmed Khan".
W97M/Marker.ai gives the message "Happy Birthday Shankar" and also contains a reference to the same Autoopen macro as Beast.41472 activating an embedded object 5 minutes after opening the infected document - the embedded object does not exist however.
Indications Of Infection
Macro warning when opening infected documents on non-infected system.
Method Of Infection
Opening infected documents will directly infect the local Word environment and any document used thereafter.
Use specified engine and DAT files for detection and removal.
Discovery Date: 7/1/99
Infection Length: one VBA5 module
Area of Infection: Microsoft Word 97 documents
Region Reported: US, Canada
Characteristics: Macro, Wild
W97M.Marker is a common macro virus with a unique payload.
Similar to W97M.Class, it adds its viral code to the "ThisDocument" VBA5 module, which by default is always in Word97 document/template. It also uses a randomly named temporary text file while infecting. The random name is "HSFxxxx.SYS" where xxxx is a randomly generated number.
This macro virus will keep a log of the date/time of the infection and user information. The user information is based on user information registered into Word 97 (note: user name and address can be viewed using [Tools]-[Options]-[User Information] menu). When the payload in this virus activates on the 1st of the month, it will upload this information to an FTP site. Please note that it will only upload the information once. The uploading is kept track or marked by the following registry key:
"HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info" as "LogFile" value.
"HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info" is a common registry entry created by many Microsoft Program setup routines. The virus simply adds a new value into this registry entry: "LogFile". The value is TRUE if the virus has successfully uploaded the user information (name and address) to the FTP site. Once the value is TRUE, the virus does not attempt another upload of the user information.
This macro virus uses a temporary text file c:\netldx.vxd while executing its payload routine and "HSFxxxx.SYS" while executing its infection routine. You can delete these text files although they present no harm.
The additional Windows Registry value presents no harm. In fact, if it's already set to TRUE, it will prevent the uploading of the user information (name and address). If you'd like, you can easily remove this registry value using Windows REGEDIT utility.
Norton AntiVirus users can protect themselves from this virus by downloading the current virus definitions either through LiveUpdate or from the following webpage:
To find great prices on hardware and software we recommend you start withOffice Depot. Just click on the Office Depot ad below and you will be connected directly with Office Depot on the Internet.
Go to top of page