Mark.W0rm.exe virus
Updated: 09 Feb 2011 | 4 comments
We're currently seeing a lot of Mark.W0rm.exe files appearing in our network. At the moment, the only available information is that it is a "test" virus that copies itself to common Windows folders.
Removal is quite simple:
End the task Mark.W0rm.exe in task manager if present and delete the file copied into the following directories:
C:\Documents and Settings\[user]\Local Settings\
C:\Documents and Settings\[user]\My Documents\My Music\My Music.exe
C:\Documents and Settings\[user]r\My Documents\My Documents.exe
C:\Documents and Settings\[user]\My Documents\My Pictures\My Pictures.exe
C:\Windows\MarkWorm.exe
Note: It may also copy itself on shared folders so you might want to check for that too.
About Security Community Blog
The Security Community Blog is the perfect place to share short, timely insights including product tips, news and other information relevant to the Security community. Any authenticated Connect member can contribute to this blog. Filter by:
Blog Tags
Endpoint Protection (AntiVirus) 11.x Data Loss Prevention (Vontu) Endpoint Protection Small Business Tip/How to Best Practice Messaging Gateway 10.x Installing Basics Symantec Information Manager Reporting General Symantec Configuring Mobile Security 12.x 9.x and Earlier Features Critical System Protection Security Risks Network Access Control Control Compliance Suite Symantec Protection Suites (SPS) Upgrade Endpoint Encryption
Comments
Thanks for the info
Thanks for the info Ramon...
Doesn't the virus re-replicate once deleted?
If not then case is solved...
Nice to hear from you again Bro...
Cheers...
Nel Ramos
I just found the one responsible for this malware
Although it's not harmful at the moment. What's wierd is that this guy is boasting about it.
http://markw0rm.110mb.com/
http://haktech.blogspot.com/
Isn't this type of activity a sort of cybercrime?
“Your most unhappy customers are your greatest source of learning.”
Hi did you run any free
Hi did you run any free online scanners. One you can run is from Trend Micro called House call, link is below. See if that cleans up the mess.
Good luck.
http://housecall.trendmicro.com/
.
@sbertram: Hi, we cannot run non-Symantec products with me being a Symantec onsite engineer for a reseller. :D
I'm also having problems getting the cooperation of the other outsource team and employees to get a sample. I'm not putting them down or anything. It's just that deleting the file (to them) is easier and copying the said file to another location or storage would pose a serious risk to the company I'm servicing.
I've remediated the problem by adding the file to the Application and Device Control Policy and set it to block the process.
“Your most unhappy customers are your greatest source of learning.”
Would you like to reply?
Login or Register to post your comment.