It infects global macros area on opening or closing an infected document
(AutoOpen, FileClose). It infects documents on saving and saving with new
name (FileSave, FileSaveAs). While infecting documents the virus stores
renames its macros (see above) with random names and saves references to
them to document’s variables.
On October 24th the virus creates and spawns the PCGURU4.BAT file that
contains the instructions: