Classification

Category :

Malware

Type :

Virus

Platform :

W97M

Aliases :

Heathen, W97M/Heathen

Summary

The Heathen virus is one of the first combo viruses that infect both Word documents and Windows executable files. The virus is spread from system to system with infected Word documents. The binary part that is activated during each Windows startup is used to infect other Word documents on the first logical disk even if Word is not opened. Due to its peculiarities the virus replicates only under Windows 95.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Variant:Heathen.12288.A

The virus has 3 different essences: an AutoOpen macro and UUE-like encoded binary inside Word documents, a Windows PE executable and a Word template that is used by a binary part for replication.

When an infected Word document is opened, this virus extracts its binary part to \Windows folder as HEATHEN.VDL and runs it. This file is a Windows PE executable that contains pure virus code. Being run the binary part creates HEATHEN.VDO and HEATHEN.VEX files. The HEATHEN.VDO file is a Word template that is used by the virus during replication. The HEATHEN.VEX file contains a patched copy of EXPLORER.EXE that will replace the original EXPLORER.EXE during next Windows startup. To achieve this the virus puts rename commands to WININIT.INI file.

As stated above the EXPLORER.EXE is not infected but only patched by the virus. The virus puts 32 bytes of its startup code and data (file name) to the beginning of the last section of EXPLORER.EXE and redirects Entry Point RVA to that location. Being run the EXPLORER.EXE will launch HEATHEN.VDL file using LoadLibraryA function. Since then the virus will be active in memory.

When the virus is active, it looks for files having '.dot' or '.doc' extensions on the first logical hard disk (C:). If a file is found the virus attempts to infect it using OLE API - the new technique that allows the virus not to use Word for infection purposes.

The virus has a dangerous payload. Six months after infection date the virus deletes Windows Registry files: SYSTEM.DAT, USER.DAT, SYSTEM.DA0 and USER.DA0. After that Windows should be reinstalled from a scratch.

The virus is not be able to patch EXPLORER.EXE under Windows 98 and macro code is not working under Windows NT.