Home / malwarePDF  

W97M.Ethan.AK


First posted on 21 November 2011.
Source: BitDefender

Aliases :

W97M.Ethan.AK is also known as W97M.Ded.K, W97M.Ded.R.

Explanation :

The virus copies itself in a temporary file, named "evolve.tmp", in the root directory (usually "C:" ).

At opening, if the virus is a macro in a ".doc" file, it infects normal.dot.
If the virus is a macro in normal template ("normal.dot"), it infects documents when they are opened.

It verifies the file macros, and it doesn't infect a macro that begins with "Private Sub Open" and ends with "End sub". So, it doesn't infect the same macro twice.

The virus doesn't have any destructive payload, it only spreads itself through Microsoft Word Application.

Last update 21 November 2011

 

TOP