This stealth polymorphic macro virus contains ten procedures in one module
“ThisDocument”: autoopen, autonew, viewvbcode, toolsmacro, filetemplates,
and three macros with randomly generated names.
The virus infects the global macros area on opening an infected document
(AutoOpen). Other documents get infection on their opening and creating.
While infecting the virus turns off the Word virus protection (the
VirusProtection option). Then the virus searches on the C: drive for AVP,
F-PROT95, F-Macro, McAfee Virus Scan, Norton AntiVirus, TBAVW95 and some
other anti-viruses and deletes their files.
If mIRC client is installed in the “C:MIRC” folder, the virus stores just
opened or created document as “C:MIRCBACKUPY2K.DOC” and deletes mIRC
default script (file SCRIPT.INI, it is executes every time mIRC client
starts). The virus then tries to create a new SCRIPT.INI to spread itself
via IRC channels, but in result of a mistake this does not happens.
On document open the virus opens the Visual Basic Editor window. On
creating a document it closes Visual Basic Editor window if it is open. On
pressing Alt-F11 combination (show Visual Basic Editor command) the virus
clear first code module in active document and first one in global macros
area (what contains virus code) and only after that makes Visual Basic
Editor window visible.
The virus polymorphic engine replaces names of some procedures and inserts
random generated comments into virus code. In result of a bug sometimes the
engine produces the code that does not work.