Threat Description

Heathen

Details

Aliases:Heathen, W97M/Heathen
Category:Malware
Type:Virus
Platform:W97M

Summary



The Heathen virus is one of the first combo viruses that infect both Word documents and Windows executable files. The virus is spread from system to system with infected Word documents. The binary part that is activated during each Windows startup is used to infect other Word documents on the first logical disk even if Word is not opened. Due to its peculiarities the virus replicates only under Windows 95.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details




Variant:Heathen.12288.A

The virus has 3 different essences: an AutoOpen macro and UUE-like encoded binary inside Word documents, a Windows PE executable and a Word template that is used by a binary part for replication.

When an infected Word document is opened, this virus extracts its binary part to \Windows folder as HEATHEN.VDL and runs it. This file is a Windows PE executable that contains pure virus code. Being run the binary part creates HEATHEN.VDO and HEATHEN.VEX files. The HEATHEN.VDO file is a Word template that is used by the virus during replication. The HEATHEN.VEX file contains a patched copy of EXPLORER.EXE that will replace the original EXPLORER.EXE during next Windows startup. To achieve this the virus puts rename commands to WININIT.INI file.

As stated above the EXPLORER.EXE is not infected but only patched by the virus. The virus puts 32 bytes of its startup code and data (file name) to the beginning of the last section of EXPLORER.EXE and redirects Entry Point RVA to that location. Being run the EXPLORER.EXE will launch HEATHEN.VDL file using LoadLibraryA function. Since then the virus will be active in memory.

When the virus is active, it looks for files having '.dot' or '.doc' extensions on the first logical hard disk (C:). If a file is found the virus attempts to infect it using OLE API - the new technique that allows the virus not to use Word for infection purposes.

The virus has a dangerous payload. Six months after infection date the virus deletes Windows Registry files: SYSTEM.DAT, USER.DAT, SYSTEM.DA0 and USER.DA0. After that Windows should be reinstalled from a scratch.

The virus is not be able to patch EXPLORER.EXE under Windows 98 and macro code is not working under Windows NT.





Technical Details: K. Tocheva, S. Rautiainen, P. Szor, A. Podrezov, F-Secure 1997


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More