This virus contains two macros in one Module, “ThisDocument,” and the macros have
different names in documents and NORMAL.DOT:
The virus infects the global macros area upon the opening of an infected document.
While infecting, the virus exports virus code to the C:CLASS.SYS and inserts it
into NORMAL.DOT. Documents are infected in the same way.
The virus mutation (polymorphic) routine inserts comments into virus code, containing a user name, current date and time, and information about the active
The virus uses an effective way to hide its code. By using special WordBasic
operators, the virus installs its module, not into the standard area of macro
programs, but into the area of Word classes – the area of standard routines that
handle Word events, i.e., Word kernel. The virus appends its code to
documents and templates, not as a user application (macro program), but as a
“native” Word component. As a result, the virus is not visible in
Tools/Macro and File/Templates (for what reason does the virus then hook
The virus disables the AutoProtection. On the 31st, the virus displays the
Each month from June until December on day 14, the virus displays the message:
The virus also changes values in the registry keys:
Upon infection, this virus modifies the system registry by writing “Clazz” as
the registered owner of this Windows copy. Upon trying to view, the virus codes it
with a probability of 25% and sets the “Clazz” password for active document, or, with
the same probability, deletes all files in the current folder.