W97M/Thus.C

Analysis

• Virus is practically identical to W97M/Thus.A in function, only some lines of code are commented
  
• Virus consists of one macro module within the class storage
  
• Virus hooks Word event handlers which prevents the closing of infected documents
  
• Virus searches the macro storage of host files for the string

  "'Thus_001'"

  which exists in the virus body, as a means to determine if the host file is already infected

• On December 13th of any year, virus searches for all files in all subdirectories and attempts to delete them