Thursday virus upgraded: 'High Risk'

IT managers should be on the lookout for a nasty but easily contained virus that has infected PCs at eight financial institutions over the last several days.

The virus, called the "Thursday" or W97M/Thurs.A virus, was first discovered nearly two weeks ago. It wasn't given much notice until the last two days, when it was reported at financial institutions in the US, the UK, Ireland, France, Poland, Switzerland, Austria, Germany, Latvia and Poland. About 5,000 seats have been infected so far.

The Word 97-based virus carries a payload that will try to delete all files on a user's C: drive on the trigger date, Dec. 13. It does not appear as though it will do any damage until that day, which oddly enough falls on a Monday this year. Anti-virus updates already released from most companies should find and wipe it off the PC, said Allison Taylor, marketing manager for Total Virus Defense at Network Associates Inc. in California.

Network Associates upgraded its warning on the virus from "medium" to "high risk" after it was reported at the financial institutions. Only three other viruses -- Melissa, CIH/Chernobyl and ExplorerZip -- have received a "high risk" rating over the last year.

Users will see no obvious indications that a document has been infected. The macro virus is limited so far to Word 97, or possibly newer versions of Microsoft Corp.'s word processing application. If it is not detected, it can cause the deletion of all files on the C: drive, including subdirectories. "One of the things that the virus also does is turn off macro virus warnings on the application. And so what the user needs to do, at a minimum, after running a virus checker, is to go in and change the option back for that warning," said Gary Grossman, vice president of research and development at Arca Systems, a security consulting subsidiary of Exodus Communications.

Researchers at Symantec said they do not expect the Thursday virus to spread very far, since it does not have any internal method of transporting itself other than Word 97 files. "This is a fairly unremarkable virus," said Carey Nachenberg, chief researcher at Symantec's AntiVirus Research Center. Compared to Melissa, which was a worm as well as a virus, the Thursday virus is a pretty basic, if destructive, piece of code, Nachenberg said.

The Thursday virus has lead many in the anti-virus community to ask: Are virus writers really busier these days? Or are they just making a better product? ICSA said in a recent survey that the number of virus incidents has increased twofold each year for the last four years. Symantec's Nachenberg doesn't think viruses are necessarily being created faster than they were in the past. But he said the strains that have recently hit the Internet have been far more virulent, due mostly to the wide use of macro commands and Microsoft's Visual Basic language.

Take me to the Virus Workshop

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All