This is a Word'97 and Word'2000 infector which uses the class module and gets the control when the infected file is opened. Most of the body is encrypted, only 5 lines are visible. They decrypt the body in "Sixtieth_Skeptic" function and launch this function which is doing the rest of work.
First thing the virus does is infecting the global template file. All
opened files are then infected too. The virus contains a bug which
makes it non-polymorphic but encrypted.
The virus drops C:\SS.BAS and C:\SS.VBS files. First contains
the VBS source of the virus (only 5 first lines are actually readable
VBA source as the body below is encrypted) . Second file is a short
VBS script (WSCRIPT.EXE which comes with Win98 and Windows2000
by default but not with Win95) - which would reinfect NORMAL.DOT if it is
cleaned or removed. To do this the filename C:\SS.VBS is entered in the
following Registry key so that this script is run on every reboot:
Then the virus checks the key called "Sixtieth Skeptic" in the following Registry key
and if it contains a string "Where's Jamie?" the virus quits.
If the key is not there the virus gets the Outlook address list and sends itself
to first 60 addresses assigning the following attributes to the Email:
Subject: Important Message From ... (here goes the user name taken from Winword's environment)
Body: Look what I found...
After that the virus sets the Registry key to read "Where's Jamie?" so it would
not send Emails out from the same machie twice.