<< Back to article Print this page Loading page, please wait...

'Thursday' virus strikes in eight countries

Kathleen Ohlson (Computerworld)
06 September, 1999 12:01

A new Word 97 macro virus hit banks and financial institutions in eight countries on Thursday, according to antivirus vendor Network Associates Inc (NAI).

The California-based company on Friday said its Anti-Virus Emergency Response Team received reports of the W97M/Thus.A, also known as "Thursday", Word 97 macro virus, an NAI spokesman said. He said the virus has struck 5000 desktops across eight countries, including the US, Germany, Ireland, France and Switzerland.

The Thursday virus was discovered late last month, and the jump in infections is related to banks and financial institutions filing end of the month reports, the NAI spokesman said. The company updated a warning about the virus on its Web site, calling it high risk.

W97/Thus.A is a Word 97 macro virus, infecting the normal.dot template within Microsoft Word 97. The virus contains a module -- "ThisDocument" -- which turns the macro warning off and infects any Word documents opened or created on that machine from then on, Network Associates said. It is also programmed to delete all files on the C drive on December 13, the company said.

It spreads through sharing a document, rather than automatically e-mailing itself through a network, the company said.

Users infected with the Thursday virus can't see any obvious indications of an infected document, Network Associates said. However, normal.dot will increase from its normal 27K size, the company added.

The company advised network administrators and users to upgrade their antivirus software.

But one industry watcher said the Thursday virus isn't that dangerous.

"It's not a fast spreader like Melissa, and it hasn't got a devastating payload like Chernobyl. And it's pretty easy to detect," said Roger Thompson, technical director of malicious code research at the International Computer Security Association in Virginia. "There's probably 1000 new macro viruses a month, and this is just one that got lucky." Thompson added that Network Associates has typically been "fairly responsible" about sending out virus warnings.

Thompson speculated that the virus was probably contained in a single document that was mailed to several people in the financial industry, accounting for its rapid spread within that industry.