Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W97M/Thus.A

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload
Detection files published 01 Sep 1999 03:00:00
Description created 01 Sep 1999 03:00:00
Description updated 15 Nov 2001 08:32:00
Malware type VIRUS
Alias
Spreading mechanism FILE_INFECTION
Summary None

W97M/Thus.A

Spreading

Whenever a document infected with the W97M/Thus.A virus is loaded into Word, the user or network will be infected. The virus starts its operation by turning off the Macro Virus Protection to prevent Microsoft Word from displaying a messagebox with a warning message. Next it will check if the global template 'Normal.Dot' is already infected by looking if the marker Thus_001 is present. If the marker is not present, the virus will remove all existing macros from the 'ThisDocument' module and then infect it. The W97M/Thus.A virus will then force Microsoft Word to save the global template to ensure its infection.Continuing its operation, the W97M/Thus.A virus will later infect document files that are not yet infected. After finishing the infection, the virus will check if the payload has to be triggered.

Payload Details

On 13 December of any year, the W97M/Thus.A virus will try to delete all files from the C-drive. This can render the system unoperable.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:15