Thus is a Word 97 macro virus that has a destructive payload.
Many Thus variants activate their payload at December 13th. Then the
virus deletes all files from the root of "C:" drive and from all its
subdirectories, but it does not delete directories themselves. Only
files with system, read-only or hidden attribute set are left. After
deletion the system cannot be restarted any more. Files may be still
recoverable with a suitable recovery software. However, if the
system has been used since the activation, then it is likely that
files have been already overwritten. In that case files should be
restored from backups.
When an infected document is opened, W97M/Thus.A will infect the global
template as well as every currently open document in Word. After that
every document that is created, opened or closed will be infected.
The virus detects already-infected documents by looking for this marker:
Thus_001
This is why the virus was named "Thus". The virus is also known by the
alias "Thursday".
The virus activates its payload at December 13th, when it deletes most
of the files from the root of "C:" drive and from all its
subdirectories. Only files with system, read-only or hidden attribute
set are left. After deletion the system cannot be restarted any more.
The virus is not visible in any way. It has been reported in the wild
globally during September 1999.
This variant is functionally identical with W97M/Thus.A. The only
difference between these two are that this variant has a few apostrophe
style commented empty lines at the end of its code.
W97M/Thus.J is a modified variant of W97M/Thus.A - the payload is
different. This variant activates its payload at November 3rd, when the
virus attempts to create a plain text file, "C:\000_new\Thus_100.txt".
[Analysis: Sami Rautiainen and Katrin Tocheva, September 1999 - December 2000 F-Secure]
