Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W97M/Ethan

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload
Detection files published
Description created 13 Nov 2001 03:00:00
Description updated 15 Nov 2001 04:55:00
Malware type VIRUS
Alias
Spreading mechanism FILE_INFECTION
Summary None

W97M/Ethan

Spreading

Ethan consists of a single macro less than 50 lines long. As any other macro virus it infects Normal.dot and documents by adding the virus code to the VBA-module "ThisDocument" in the document. You cannot see this module listed in the Tools|Macro list, but it is a default module in Word 97.The Ethan virus checks if the machine is infected with the W97M/Class virus and, if it is, deletes the class.sys file used by the class virus to replicate. "Ethan Frome" is a book written by Edith Wharton in 1911. The movie was released in 1993.The file "c:\ethan.___" is generated so that the virus can spread. The file is harmless in itself and can be deleted after the virus is removed. c:\ethan.___ is listed as a hidden system file.

Payload Details

With the Ethan macro virus there is a 3-in-10 chance that the infected document’s properties will be altered by the virus, meaning that the virus activates by random. If the properties are altered, the virus will change the title of the document to "Ethan Frome", author to "EW/LN/CB", and company to "Foo Bar Industries Inc.".

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:15