Aliases: W32/Marjor.A, W32/Marjor.worm, Trojan.Win32.Marjor, Trojan:Win32/Marjor, WORM_MARJOR.A
Variants: Troj/Marjor, TROJ_MARJOR, W32/Marjor, Marjor Trojan, W95/Marjor.A

Classification: Malware
Category: Trojan Horse

Status: Active & Spreading
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 12 Sep 2003
Damage: Low

Characteristics: As a Trojan Horse malware variant it usually makes use of some deceptive method to gain entry into a vulnerable computer system and trick the unsuspecting computer user into launching its routine. The W32.Marjor delivers the payload of attempting to overwrite target files on the infected computer system. However, the difference between this malware and other variants is that it overwrites the files only when they are accessed by the unwary computer user.

More details about W32.Marjor

On initial execution of this malware it will attempt to create an instance of itself in the host computer system. According to most antivirus developers the main executable file of the W32.Marjor will be dropped into the same directory folder used by the operating system files. After successfully installing its executable source file it will resume by creating an associated Windows Registry key value which is used to provide the W32.Marjor with the functionality of being loaded by the operating system at every boot up or restart operation. The text string value "LOVE YOU" will also be added to the Windows Registry entry associated with the W32.Marjor malware infection. The key value of the text string has a null entry.

The Windows Registry is further exploited by this malware to firmly establish its presence in the compromised machine. The W32.Marjor will generate an OPEN key value which is attributed to the SHELL command. This routine is presumed to be used to perpetrate its infection when an application invokes the SHELL command set. The W32.Marjor also uses the Windows Registry key values in order to infect subkeys that begin with the DOT symbol. The W32.Marjor will scan only the HKEY_CLASSES_ROOT location of the Windows Registry for the presence of such subkeys.