Problem solve Get help with specific problems with your technologies, process and projects.

Finding and removing the Ethan virus

I have a few computers that have the Ethan virus showing up in Word docs. I have scanned these with NAV, and it doesn't find anything. I have also looked for various file/entries in the autoexec, as was recommended, but again nothing shows up. How can I find and remove this virus?

Ethan has 27 different variations. Most appear to be Microsoft Office 97 related as a macro worm. It's a parasitic class module infector, which consists of one macro and is approximately 50 lines of code in length. It infects documents and templates using an algorithm to input data, from a source file c:ethan.___ to the host document. This source file is exported VBA code of the virus.

First, ensure you have all Microsoft patches applied. This includes Office, the OS (98, NT, 2000) and other apps (exchange, e-mail, browser, etc.).

Second, ensure your virus software is up to date. I'm talking about the *.exe, not the DAT or signature files.

Third, make sure the signature files are up to date.

Fourth, check for the "scriptlet.typelib/Eyedog" vulnerability, which is ActiveX malicious code MS99-032.

Fifth, if using XPor ME, Windows ME and XP utilize a restore utility that backs up selected files automatically to the C:_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must disable the System Restore Utility to remove the infected files from the C:_Restore folder.

Finally, from McAfee.com: PE, Trojan, Internet Worm and memory resident: Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:
This last one means you must scan from MS-DOS mode if possible with your current OS.

In summary, the Ethan virus/Trojan is old and may have many variations. Ensure you cover ALL the steps above and you should be okay. It seems Ethan lives in memory and the boot record, so YOU MUST ensure these are clean prior to cleaning the rest of the system. Then ensure all removable media is cleaned.

This was last published in May 2002

Dig Deeper on Information security policies, procedures and guidelines

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.