Ethan has 27 different variations. Most appear to be Microsoft Office 97 related as a macro worm. It's a parasitic class module infector, which consists of one macro and is approximately 50 lines of code in length. It infects documents and templates using an algorithm to input data, from a source file c:ethan.___ to the host document. This source file is exported VBA code of the virus.First, ensure you have all Microsoft patches applied. This includes Office, the OS (98, NT, 2000) and other apps (exchange, e-mail, browser, etc.).
Second, ensure your virus software is up to date. I'm talking about the *.exe, not the DAT or signature files.Third, make sure the signature files are up to date. Fourth, check for the "scriptlet.typelib/Eyedog" vulnerability, which is ActiveX malicious code MS99-032. Fifth, if using XPor ME, Windows ME and XP utilize a restore utility that backs up selected files automatically to the C:_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must disable the System Restore Utility to remove the infected files from the C:_Restore folder. Finally, from McAfee.com: PE, Trojan, Internet Worm and memory resident: Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:
SCANPM /ADL /CLEAN /ALL
This last one means you must scan from MS-DOS mode if possible with your current OS. In summary, the Ethan virus/Trojan is old and may have many variations. Ensure you cover ALL the steps above and you should be okay. It seems Ethan lives in memory and the boot record, so YOU MUST ensure these are clean prior to cleaning the rest of the system. Then ensure all removable media is cleaned.
This was first published in May 2002