Category: Malware

Type: Virus

Platform: W97M

Aliases: Heathen, W97M/Heathen


The Heathen virus is one of the first combo viruses that infect both Word documents and Windows executable files. The virus is spread from system to system with infected Word documents. The binary part that is activated during each Windows startup is used to infect other Word documents on the first logical disk even if Word is not opened. Due to its peculiarities the virus replicates only under Windows 95.


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


The virus has 3 different essences: an AutoOpen macro and UUE-like encoded binary inside Word documents, a Windows PE executable and a Word template that is used by a binary part for replication.

When an infected Word document is opened, this virus extracts its binary part to \Windows folder as HEATHEN.VDL and runs it. This file is a Windows PE executable that contains pure virus code. Being run the binary part creates HEATHEN.VDO and HEATHEN.VEX files. The HEATHEN.VDO file is a Word template that is used by the virus during replication. The HEATHEN.VEX file contains a patched copy of EXPLORER.EXE that will replace the original EXPLORER.EXE during next Windows startup. To achieve this the virus puts rename commands to WININIT.INI file.

As stated above the EXPLORER.EXE is not infected but only patched by the virus. The virus puts 32 bytes of its startup code and data (file name) to the beginning of the last section of EXPLORER.EXE and redirects Entry Point RVA to that location. Being run the EXPLORER.EXE will launch HEATHEN.VDL file using LoadLibraryA function. Since then the virus will be active in memory.

When the virus is active, it looks for files having '.dot' or '.doc' extensions on the first logical hard disk (C:). If a file is found the virus attempts to infect it using OLE API - the new technique that allows the virus not to use Word for infection purposes.

The virus has a dangerous payload. Six months after infection date the virus deletes Windows Registry files: SYSTEM.DAT, USER.DAT, SYSTEM.DA0 and USER.DA0. After that Windows should be reinstalled from a scratch.

The virus is not be able to patch EXPLORER.EXE under Windows 98 and macro code is not working under Windows NT.