A leading antivirus software vendor is warning of a new virus affecting Microsoft Word 97 that sits in a user's computer like a time bomb, set to deliver a potentially destructive payload on December 13.
Dubbed the "Thursday virus," it has spread through banks and other financial institutions in the US and Europe, according to AVERT (Anti-Virus Emergency Response Team), a division of Network Associates's NAI Labs that is tracking it.
The Thursday virus carries a "trigger" date of December 13. When an infected document is opened on that date, it will attempt to delete all the files on a user's "c:" drive, including subdirectories, according to AVERT. Users and network administrators are encouraged to upgrade to the most recent version of their antivirus software immediately to help stem the spread of the infection.
Unlike the infamous Melissa virus, which spread by automatically e-mailing itself across networks, the Thursday virus is spread when users share documents. However, because it appears to be spreading quickly, and because of its potentially destructive and costly payload, AVERT has given it a "high-risk" assessment.
While the virus likely originated within the financial community, it may soon spread beyond that industry, said Eddy Hsia, director of software development with Network Associates' McAfee.com consumer subsidiary.
"Financial people usually talk to other financial people, but eventually they're inevitably going to talk to you or me," Hsia said. The virus could be spread through, for example, a resume attached to an e-mail as a Word document, he said.
The virus infects the "normal.dot" template in Microsoft Word 97. Affected users won't see any obvious signs of infection, although the size of the normal.dot template will increase from its typical maximum size of 27Kbytes, Hsia said.
In addition, the virus turns off the Macro Warning feature in Word 97. If a user has a document that contains a macro, and the Macro Warning feature doesn't activate, that's a sign that their system may be infected, AVERT said.
The virus, which also goes by the aliases "W97M/Thursday, and "Thus.A," contains a module called ThisDocument. After turning the macro warning feature off, the module proceeds to infect any Word documents opened or created on the computer from that point on.
Judging by the pattern of reports made to AVERT, which came in from multiple financial institutions around the world in rapid succession, the outbreak may have stemmed from the distribution of a single infected document within the financial community, AVERT deduced. The virus was first detected around August 26, Hsia said.
To reduce the risk of contracting or spreading the virus, network administrators and users are advised to upgrade immediately to the latest version of their antivirus software. The most recent protection from Network Associates is available on its Web site, at http://www.nai.com. Consumers also can visit http://www.mcafee.com for the latest upgrades.