Virus Profile: W32/Etap

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 2/14/2002
Date Added: 3/6/2002
Origin: Spain
Length: about 100,000 bytes
Type: Virus
Subtype: Win32
DAT Required: 4189
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

The infected files grow in size by about 100,000 bytes (can vary greatly). Some of them no longer run. There are no visible virus-related strings in infected files.

Methods of Infection

Infects Win32 applications with an ".EXE" extension, only in folders not starting with letter "W". The virus also avoids programs with a letter "V" in the name or starting with "F-", "PA", "SC", "DR" and "NO". However it lists all available network drives and looks for potential writeable targets there. After the infection, date and timestamp of files do not change.

In most targets the virus wipes out the relocation section of the host file. Files can still run but this makes proper cleaning impossible.


Linux/Etap, Win32.Simile (NAV)

Virus Characteristics

-- Update 6/4/2003 --
Detection of W32/Etap was restricted to the latest engines (4240, 4260+) because they have built-in technology to search for entry-point obfuscating viruses much quicker. It has to be noted that AVERT had no reports of W32/Etap from the field for many months.

-- Update 5/15/2002 --
A new version known as Etap.d has been recently discovered. It infects both Win32 PE and Linux ELF files. Detection for the Linux strain went in the 4204 DAT set. This makes it the first polymorphic as well as the first entry-point-obfuscating virus for Linux.

-- Update 4/11/2002 --
The detection of W32/Etap has been improved over the last few weeks, so that most users should not notice a slowdown from this detection. If you are able to isolate a specific file that takes an unusually long time to scan, please send a copy to and mention that you are sending it because of the slowdown.

-- Update 4/03/2002 --
Since 4194 DATs the detection of this virus no longer requires "Program Heuristic" mode.

When an infected file is run, it infects other Win32 files on the system. The virus prefers to hit applications written in the C language and is more likely to hit OS files rather than normal applications. This virus carries a string "Metaphor v1 by The Mental Driller/29A ". It is not visible in infected files but this string (with the lettercase changed randomly) is displayed on the 17th of March, June, September and December:

On the 14th of May, on systems with Hebrew character support, the virus will display a message box saying "Free Palestine! ".

This virus is polymorphic and uses entry-point obfuscation technique. When infecting, the virus replaces all "ExitProcess" calls in the host file with obfuscated jumps on a polymorphic decryptor. The obfuscated polymorphic jump, the polymorphic decryptor, and the encrypted body of the virus can be anywhere in the host file which makes detection a difficult task.

Although detection is complex, AVERT has decided to include detection using the ActiveDAT technology in the scanning engine and DATs. As a consequence, some users may notice a slight performance decrease after updating to 4189 DATs. This is a necessary tradeoff for obtaining detection of a known "in the wild" virus. To allow users some flexibility, AVERT has included detection for this virus ONLY when the "Program Heuristics" option is turned on. AVERT will continue to work on improving the detection of this virus to reduce the impact users may see. Improvements will eventually be noticed in future DATs.

If this virus is detected on your computer, please report it to AVERT by sending an e-mail to .

The sample of this virus was sent on 14 Feb 2002 to fourteen different AV companies by the virus author. In about 2 weeks the virus sample was also circulated in an electronic magazine distributed by 29A virus writing group (version 1b). A slight modification of the same virus was created from the published ASM sources, where it carries a different string ("Deutsche Telekom by Energy 2002*g** ") displayed on the 18th of March, June, September and December:

This variant also carries a string: "Heavy Good Code! " but it is almost never displayed.


Variants information
Virus Name Type Subtype Differences
W32/Etap.a Virus Win32 discovered on 14 Feb 2002 (requires 4189 DATs)
W32/Etap.b Virus Win32 discovered on 06 Mar 2002 (requires 4189 DATs)
W32/Etap.d Virus File Infector Many replicants of W32/Etap.d are detected generically with 4189 DATs as W32/Etap with program heuristics enabled. The specific Linux/Etap.d detection was added to the 4204 DATs while W32/Etap.d detection was added to the 4205 DATs.
All Users:
Use current engine and DAT files for detection. Replace files not cleaned with backup copies.

Additional Windows ME/XP removal considerations


PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!