Threat Description

Thus

Details

Aliases: Thus, Thursday
Category: Malware
Type: Virus
Platform: W97M

Summary



Thus is a Word 97 macro virus that has a destructive payload.

Many Thus variants activate their payload at December 13th. Then the virus deletes all files from the root of "C:" drive and from all its subdirectories, but it does not delete directories themselves. Only files with system, read-only or hidden attribute set are left. After deletion the system cannot be restarted any more. Files may be still recoverable with a suitable recovery software. However, if the system has been used since the activation, then it is likely that files have been already overwritten. In that case files should be restored from backups.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details




Variant:Thus.A

When an infected document is opened, W97M/Thus.A will infect the global template as well as every currently open document in Word. After that every document that is created, opened or closed will be infected.

The virus detects already-infected documents by looking for this marker:

Thus_001

This is why the virus was named "Thus". The virus is also known by the alias "Thursday".

The virus activates its payload at December 13th, when it deletes most of the files from the root of "C:" drive and from all its subdirectories. Only files with system, read-only or hidden attribute set are left. After deletion the system cannot be restarted any more.

The virus is not visible in any way. It has been reported in the wild globally during September 1999.


Variant:Thus.B

This variant is functionally identical with W97M/Thus.A. The only difference between these two are that this variant has a few apostrophe style commented empty lines at the end of its code.


Variant:Thus.J

W97M/Thus.J is a modified variant of W97M/Thus.A - the payload is different. This variant activates its payload at November 3rd, when the virus attempts to create a plain text file, "C:\000_new\Thus_100.txt".





Technical Details: Sami Rautiainen and Katrin Tocheva, September 1999 - December 2000 F-Secure


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More