Virus Alert: Network Associates Raises Risk Assessment on New Thursday Virus to 'High' - Industry Trend or Event

Edge: Work-Group Computing Report, Sept 13, 1999

AVERT (Anti-Virus Emergency Response Team), a division of NAI Labs at Network Associates, has raised the Risk Assessment on the W97M/Thus.A, or "Thursday" Word 97 Macro virus from Medium to High, following reports of rapid infection and spreading through major financial institutions in eight countries in the past 24 hours. The virus carries a potentially destructive payload that will attempt to delete all files on a user's c: drive on the trigger date of December 13th. Customers are urged to download updated detection and cleaning for their antivirus software immediately to help halt the spread of and prevent becoming infected by this destructive virus.

Symptoms: Users infected with the Thursday virus will see no obvious indications that a document has been infected. However, because the virus infects Word 97's normal.dot, the size of that file will increase from its normal 27K. In addition, the virus turns off Word 97's Macro Warning feature. If a "clean" document known to contain macros does not produce the regular warning, this may be an indication that the system is infected.

Pathology: W97M/Thus.A is a Word 97 Macro virus which infects the normal.dot template within Microsoft Word 97. The virus consists of a module called "ThisDocument," which turns the Word 97 Macro Warning feature off, then infects any Word documents opened or created on that machine from that point forward. The virus is primarily designed to spread, except on the "trigger date" of December 13th, at which point opening any infected document can cause the deletion of all files on drive c: (including subdirectories). This virus has been reported to AVERT researchers by several banks and financial organizations in Europe and the United States.

Risk Assessment: W97M/Thus.A has been given a high risk assessment by AVERT. Though it spreads through sharing of documents, and not by automatically emailing itself across networks, it has achieved a high rate of prevalence very quickly. The pattern of reports from multiple financial institutions around the world in rapid succession suggests the initial outbreak may have occurred through the distribution of a single infected document within the financial community. In addition, W97M/Thus.A carries a potentially destructive payload, and with it a high liability for organizations and consumers that unwittingly spread the virus.

Cure: Network Associates detection and cleaning for the virus is currently available to corporate customers for all Total Virus Defense (TVD) 4.0 products. To reduce the risk of contracting and/or spreading the Thursday virus, it is recommended that network administrators and users upgrade to the latest version of their anti-virus software. The most recent protection is available on Network Associates' web site at http://www.nai.com . Individual consumers are encouraged to visit http://www.mcafee.com, the consumer Internet division of Network Associates, to scan for the latest viruses over the web.

With headquarters in Santa Clara, Calif., Network Associates, Inc. is dedicated to providing leading enterprise network security and management software. McAfee.com, a subsidiary of Network Associates, is the leading online service and e-commerce destination devoted to providing individual consumers with the ability to update, upgrade and manage their PCs over the Web. With more than 1,000 new viruses discovered each month, AVERT, the anti-virus research division of NAI Labs, provides risk assessment ratings (low, medium or high) to customers based on both the potential damage of a given virus and actual infection rate in the wild. Viruses with high visibility are placed on the AVERT Watch list for 24 hour monitoring. AVERT currently employs more than 85 virus researchers and maintains labs on five continents worldwide. In addition to studying new and existing security threats, AVERT serves as a global resource for virus information and provides rapid, follow-the-sun support for virus emergencies worldwide. Virus advisories are issued as a service to customers from Network Associates, the leader in anti-virus detection and cleaning technology. For more information, Network Associates and McAfee.com can be reached at 408-988-3832 or on the Web at http://www.nai.com or http://www.McAfee.com.