Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Heathen


Aliases:


Heathen
W97M/Heathen

Malware
Virus
W97M

Summary

The Heathen virus is one of the first combo viruses that infect both Word documents and Windows executable files. The virus is spread from system to system with infected Word documents. The binary part that is activated during each Windows startup is used to infect other Word documents on the first logical disk even if Word is not opened. Due to its peculiarities the virus replicates only under Windows 95.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details


Variant:Heathen.12288.A

The virus has 3 different essences: an AutoOpen macro and UUE-like encoded binary inside Word documents, a Windows PE executable and a Word template that is used by a binary part for replication.

When an infected Word document is opened, this virus extracts its binary part to \Windows folder as HEATHEN.VDL and runs it. This file is a Windows PE executable that contains pure virus code. Being run the binary part creates HEATHEN.VDO and HEATHEN.VEX files. The HEATHEN.VDO file is a Word template that is used by the virus during replication. The HEATHEN.VEX file contains a patched copy of EXPLORER.EXE that will replace the original EXPLORER.EXE during next Windows startup. To achieve this the virus puts rename commands to WININIT.INI file.

As stated above the EXPLORER.EXE is not infected but only patched by the virus. The virus puts 32 bytes of its startup code and data (file name) to the beginning of the last section of EXPLORER.EXE and redirects Entry Point RVA to that location. Being run the EXPLORER.EXE will launch HEATHEN.VDL file using LoadLibraryA function. Since then the virus will be active in memory.

When the virus is active, it looks for files having '.dot' or '.doc' extensions on the first logical hard disk (C:). If a file is found the virus attempts to infect it using OLE API - the new technique that allows the virus not to use Word for infection purposes.

The virus has a dangerous payload. Six months after infection date the virus deletes Windows Registry files: SYSTEM.DAT, USER.DAT, SYSTEM.DA0 and USER.DA0. After that Windows should be reinstalled from a scratch.

The virus is not be able to patch EXPLORER.EXE under Windows 98 and macro code is not working under Windows NT.





Technical Details: K. Tocheva, S. Rautiainen, P. Szor, A. Podrezov, F-Secure 1997



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.