Virus Database

Macro.Word97.Marker-based

Description Macro.Word97.Marker-based

This is a family of Word 97 macro-viruses. They infect the macros area (Normal template) globally upon opening an infected document. Other documents are infected upon closing. Some virus versions also infect documents upon their opening. While infecting, the viruses append their code to the existing macro-code, if there is any macro. In the case that there are no macro(s), the viruses just copy their code to the document or the template.
They were named for the text comments in their bodies, and this comment is used by the virus to locate the top of the code in an infected file. There are several variants of this text, depending on the virus version:
<- this is a marker!
<- this is another marker!
The viruses of this family run a log of infected computers: each time while infecting a new computer, the viruses add their code text comments with the date of infection and user address (as it is stored in Windows).
The viruses of this family indicate themselves in different manners. "Marker.a" in July starting from 23rd displays the messages:
Did You Wish Shankar on his Birthday ?
Thank You! I Love You. You are wonderfull.
You are Heart Less. You Will Be Punished For This
"Marker.c" and some other variants connect to a ftp site and send their log files there.
Marker.ay
When MS Word opens a document, the infection procedure checks and infects this document. It removes all macros from the document and copies viruse from the global macros area.
This virus also unloads all loaded templates and add-ins and deletes all files in the Word startup directory. It also changes the Word user's information:
UserName = "JonMMx 2000"
UserInitials = "MeMeX"
UserAddress = "JonMMx2000@yahoo.com"
Upon the first infection of a computer and also on 1st of any month, the virus creates, in the Windows system, a directory file "Jon.html" and sets this file as desktop wallpaper. The file contains the text:
a Poet For My Dear Love

Dear Iin

To the very best that happen in mylife
Long ago and in my mind, I can see your face lonely and lost in time
You were gone since yester month But the memories, never would dissapear
I think of you, I THINK OF YOU.
Yes it's true I can pretend. But the paint of blue, keep beat me till the end.
Yes it's hard to understand. Why you leaving me and all we dreaming on
Dear Iin, I close my eyes and see your face. That's all I have to do to be with you.
Dear Iin, altough I can not touch your face. I know what I can do to be with you
Long ago so faraway. But the light of blue, still living with me today.
You were gone since yester month. But the memories never would dissapear.
Speed Hari

Check other viruses! Be aware! Use Antiviral Software

LoveChild.2710

Description LoveChild.2710

This is a very dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM files.
It is a stealth virus. It hooks INT 13h, 21h and writes itself to the end of COM files. It works on DOS 3.30 only because it inserts itself into the DOS data area. In cause of the another DOS the virus displays the message in Russian and erases the MBR. From the midnight till 4 o'clock it prints the screen. Sometimes it displays the long message in Russian and then erases the disk sectors.

LoveChild.488

Description LoveChild.488

This is a very dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM files.
It copies itself into Interrupt Vectors Table at the address 0000:01E0, and then infects COM files that are loaded into memory, opened or created. While infecting the virus writes four bytes of Jmp-Virus commands to the file (STI; JMP Loc_Virus).
If DOS 3.30 is installed on the computer, the virus takes masking actions - the virus "knows" the INT 21h handler address and the address at which the original value of the INT 13h is stored. Using this, the virus modifies the memory occupied by the operating system in such a way, that it handles the 21h interrupt call immediately before DOS (the JMP FAR Loc_Virus - jump to the virus, is written instead of the first 5 bytes of the interrupt 21h handler). Int 13h is treated by the virus by simple way - the original value of interrupt is restored.
The virus has destructive functions: depending on the timer it might delete files or create instead of a file a subdirectory with the same name. The virus periodically modifies EXE files in such a way, that their execution causes erasing the hard disk sectors (part of the information located in the sectors corresponding to the write/read heads 0-3).
This virus contains the texts:
v2 (c) Flu Systems (R)
LoveChild in reward for software sealing

Home