It is not a dangerous semi-polymorphic macro virus. In infected documents
it contains one macro AutoOpen that infects global macros area while
opening an infected document. In infected NORMAL.DOT in contains two
macros. The first macro is a copy of AutoOpen macro and has a random
selected name. The second macro has the name FileSaveAs and infects
documents that are saved with new name.
The virus is semi-polymorphic – while copying its AutoOpen macro it renames
its internal values to other names, generates random name for copy of
AutoOpen macro. While creating FileSaveAs macro the virus inserts commands
that are selected from several variants and inserts random selected
While infecting global macros area the virus creates the IVX.NOT file in
the directory of the host file and writes the text to there:
IVX detects all macro viruses, past, present, and future.
It adds the command to the C:AUTOEXEC.BAT file that clears the Read-Only
attribute of NORMAL.DOT file:
@ATTRIB -R WordDirectoryNORMAL.DOT > NUL”