The virus has 3 different essences: an AutoOpen macro and UUE-like
encoded binary inside Word documents, a Windows PE executable and a
Word template that is used by a binary part for replication.
When an infected Word document is opened, this virus extracts its
binary part to \Windows folder as HEATHEN.VDL and runs it. This file
is a Windows PE executable that contains pure virus code. Being run
the binary part creates HEATHEN.VDO and HEATHEN.VEX files. The
HEATHEN.VDO file is a Word template that is used by the virus during
replication. The HEATHEN.VEX file contains a patched copy of
EXPLORER.EXE that will replace the original EXPLORER.EXE during next
Windows startup. To achieve this the virus puts rename commands to
As stated above the EXPLORER.EXE is not infected but only patched by
the virus. The virus puts 32 bytes of its startup code and data (file
name) to the beginning of the last section of EXPLORER.EXE and
redirects Entry Point RVA to that location. Being run the EXPLORER.EXE
will launch HEATHEN.VDL file using LoadLibraryA function. Since then
the virus will be active in memory.
When the virus is active, it looks for files having '.dot' or '.doc'
extensions on the first logical hard disk (C:). If a file is found the
virus attempts to infect it using OLE API - the new technique that
allows the virus not to use Word for infection purposes.
The virus has a dangerous payload. Six months after infection date the
virus deletes Windows Registry files: SYSTEM.DAT, USER.DAT, SYSTEM.DA0
and USER.DA0. After that Windows should be reinstalled from a scratch.
The virus is not be able to patch EXPLORER.EXE under Windows 98 and
macro code is not working under Windows NT.
[Analysis: K. Tocheva, S. Rautiainen, P. Szor, A. Podrezov, F-Secure 1997]