|Place of Origin||Northern Europe|
|Source Language||Visual Basic|
|Infection Length||1 macro module|
Ethan is a macro virus from 1999. It deletes the Class virus, making it a nematode, or beneficial virus.
When executed, there is a 3 in 10 chance that the virus will activate. Ethan creates the temporary file ETHAN.___ at the root of the C: drive. Though temporary, it is also hidden as a system file. Ethan inserts its code into the beginning of the ThisDocument module. It changes the title of the infected documents to "Ethan Frome", the author to "EW/LN/CB" and company to "Foo Bar Industries Inc.".
It checks for the file "class.sys" at the root of the C: drive and deletes it. This file is created by the Class virus and is used in a similar way to which Ethan uses ETHAN.___.
The Ethan family produced many variants, enough to go through the alphabet several times. Ethan.D displays several messages, one each month between April and December on a certain day, giving advice for preparing for the Y2K bug. Others have very minor changes, such as the name of the temporary file it stores itself in or the document summary.
Ethan managed to get a place in the top 10 virus/worm charts. As late as August of 2001, it was number 8, at a time when worms had already replaced viruses as the top security threat.
Katrin Tocheva, Sami Rautiainen. F-Secure, Ethan.
Raul K. Elnitiarta. Symantec.com, W97M.Ethan.A.
John Leyden. The Register, SirCam tops Virus charts. 2001.09.04