This is a polymorphic Word macro virus. It contains one macro in documents:
AutoOpen, and two macros in NORMAL.DOT: FileSave, ToolsMacro. The virus
infects the global macros area (NORMAL.DOT) on opening an infected document
(AutoOpen) and writes itself to documents that are saved (FileSave).
The virus uses quite complex polymorphic engine – different infected files
have variable sets of commands in virus’ macros. The virus also uses quite
complex way to hide its main code in documents and templates: the main
virus code is placed in AutoText area and virus’ macros just read it from
there, copy the text to macros area and execute it. This is the first known
virus that uses such way to hide itself.
The virus sets the user’s name to “Nasty”. The polymorphic engine has bugs,
as a result it may produce corrupted code.