Thus is a Word 97 macro virus that has a destructive payload.
Many Thus variants activate their payload at December 13th. Then the virus deletes all files from the root of "C:" drive and from all its subdirectories, but it does not delete directories themselves. Only files with system, read-only or hidden attribute set are left. After deletion the system cannot be restarted any more. Files may be still recoverable with a suitable recovery software. However, if the system has been used since the activation, then it is likely that files have been already overwritten. In that case files should be restored from backups.
Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
When an infected document is opened, W97M/Thus.A will infect the global template as well as every currently open document in Word. After that every document that is created, opened or closed will be infected.
The virus detects already-infected documents by looking for this marker:
This is why the virus was named "Thus". The virus is also known by the alias "Thursday".
The virus activates its payload at December 13th, when it deletes most of the files from the root of "C:" drive and from all its subdirectories. Only files with system, read-only or hidden attribute set are left. After deletion the system cannot be restarted any more.
The virus is not visible in any way. It has been reported in the wild globally during September 1999.
This variant is functionally identical with W97M/Thus.A. The only difference between these two are that this variant has a few apostrophe style commented empty lines at the end of its code.
W97M/Thus.J is a modified variant of W97M/Thus.A - the payload is different. This variant activates its payload at November 3rd, when the virus attempts to create a plain text file, "C:\000_new\Thus_100.txt".