Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Community Blog

Mark.W0rm.exe virus

Created: 21 Jan 2010 • Updated: 09 Feb 2011 • 4 comments
mon_raralio's picture
0 0 Votes
Login to vote

We're currently seeing a lot of Mark.W0rm.exe files appearing in our network. At the moment, the only available information is that it is a "test" virus that copies itself to common Windows folders.
Removal is quite simple:

End the task Mark.W0rm.exe in task manager if present and delete the file copied into the following directories:

C:\Documents and Settings\[user]\Local Settings\
C:\Documents and Settings\[user]\My Documents\My Music\My Music.exe
C:\Documents and Settings\[user]r\My Documents\My Documents.exe
C:\Documents and Settings\[user]\My Documents\My Pictures\My Pictures.exe

Note: It may also copy itself on shared folders so you might want to check for that too.

Comments 4 CommentsJump to latest comment

Nel Ramos's picture

Thanks for the info Ramon...
Doesn't the virus re-replicate once deleted?
If not then case is solved...

Nice to hear from you again Bro...

Nel Ramos

Login to vote
mon_raralio's picture

Although it's not harmful at the moment. What's wierd is that this guy is boasting about it.

Isn't this type of activity a sort of cybercrime?

“Your most unhappy customers are your greatest source of learning.”

Login to vote
sbertram's picture

Hi did you run any free online scanners.  One you can run is from Trend Micro called House call, link is below.  See if that cleans up the mess.
Good luck.

Login to vote
mon_raralio's picture

@sbertram: Hi, we cannot run non-Symantec products with me being a Symantec onsite engineer for a reseller. :D
I'm also having problems getting the cooperation of the other outsource team and employees to get a sample. I'm not putting them down or anything. It's just that deleting the file (to them) is easier and copying the said file to another location or storage would pose a serious risk to the company I'm servicing.

I've remediated the problem by adding the file to the Application and Device Control Policy and set it to block the process.

“Your most unhappy customers are your greatest source of learning.”

Login to vote