W97M/Thus.X
Analysis
- Virus consists of one macro module within the class
storage
- Virus hooks Word event handlers which prevents
the opening, creating or closing of infected documents
- Virus searches the macro storage of host files
for the string
"'Bethlem'"
which exists in the virus body, as a means to determine if the host file is already infected
- On March 11th of any year-
- Virus searches for all *.sys files in all subdirectories
and attempts to delete them
- Displays a message box of "Happy Birthday"
- Erases all words in the active document and prevents user from using the menu option "Edit | Undo" to recover by resetting Word internal "Undo" list
- Virus searches for all *.sys files in all subdirectories
and attempts to delete them