Home / malwarePDF  

Virus:W97M/Ethan.H


First posted on 21 March 2019.
Source: Microsoft

Aliases :

Virus:W97M/Ethan.H is also known as W97M/Ethan.a, Virus.MSWord.Ethan, W97M/Ethan.a, W97M.Ethan.DX, W97M_ETHAN.A.

Explanation :

W97M/Ethan.H is a macro virus that infects Word documents and templates. The virus resides in the module ThisDocument in the function Document_Close. Spreads Via... File InfectionWhen a user closes an infected document, the virus creates the text file: “c:ethan.___” and copies its own macro code to this file. The newly created file is marked as hidden and system.
The virus proceeds to infect the Normal template by inserting the virus code from the file “c:ethan.___” into the ThisDocument module. Payload Modifies Document PropertiesEvery time the Ethan.H runs, there is a 30% chance that the virus will change the affected document's properties by setting the following: 
Title:  "Ethan Frome"
Author:  "EW/LN/CB"
Keywords:  "Ethan" Additional InformationThe virus deletes the file “c:class.sys”. Usually this file would be associated with another family of macro viruses - W97M/Class.
Analysis by Jakub Kaminski

Last update 21 March 2019

 

TOP