Warning for new 'Heathen.A' virus
- — 28 June, 1999 21:49
Network Associates' (NAI's) AVERT (Anti-Virus Emergency Response Team) is warning users of what it terms a "medium risk" virus called Heathen.A.
W97M/Heathen.A is a multipartite virus, as it uses two types of classes, an .exe portion and a .doc portion, for its infection.
The virus was originally spread from a news group and replicates itself across Microsoft Word 97 files, but does not destroy data.
"It's delivered if someone receives an e-mail with a Word 97 infected document or if they access any server file that is infected," said Allison Taylor from Network Associates. "It doesn't carry a particular payload except for dropping a patch into your (Windows) 95/98 shell."
"It runs a modified version of your Windows Explorer system and then infects the Word 97 documents," Taylor explained. "So once you've been infected, any Word 97 file that you open from then on will also be infected."
The macro drops three system files, named heathen.vex, heathen.vdl and heathen.vdo, into a systems C:/Windows subdirectory. When the system is rebooted, the heathen.vex file will be renamed explorer.exe, according to AVERT.
NAI has assigned the Heathen.A virus a medium risk level as it is not socially engineered to appear to be from a known user, and can infect new systems only if a user opens an infected Word 97 file. Heathen.A does not send itself through e-mail as Melissa and Worm.ExploreZip do.
NAI has issued a virus update to protect against the Heathen.A virus at http://www.avertlabs.com