W97M/Thus is a macro virus that infects Word 97 documents, although its effects and actions are no different from those produced by other similar viruses. However, the significant number of infections it has produced, together with its destructive payload, has raised the alarm among users and determined Internet discussion groups.
"W97M/Thus is activated when an infected document is opened. Its infection routine first searches for and then infects the normal.dot template.
Thereafter, any document that is created or opened will become infected, since the aforementioned global template is loaded each time Word is executed," says Brian Little, country manager at Panda Software SA.
"However, before infecting the victim document, the virus checks whether there exists a comment line at the beginning of the macro code with the `Thus_000` string. This would show that the virus is already present in the affected document, and it therefore does not need to copy itself again. On the contrary, the virus makes a copy of itself, achieving immediate infection," says Little.
The destructive effect of this virus is undoubtedly worth mentioning, since it does not stand out for being equipped with massive Internet propagation capacities, like Melissa, or special encryption techniques that complicate its detection. Its payload is activated every December 13th, when it deletes all files and subdirectories found on drive C:.
This virus is a clear example of how a virus code does not have to be complicated to produce severe effects. Unfortunately, these malicious intruders that wreak such havoc are the easiest to program.
Share
