This virus infects Word97 documents by checking the "HKCU\Software\Microsoft\Office\9.0\Word\Security\Level" value. If a value exists it is changed to 1 (the lowest setting) and the virus disables the "Tools>Macros>Security..." menu item. If the value does not exist, the virus disables the "Tools>Macro" menu item, the virus warning dialog, the ConfirmConversions prompt and the SaveNormal prompt.
The virus checks the "HKCU\Software\Microsoft\Office\SRAT" value. If this value does not exist, or is not equal to "by Kwyjiboymi", the virus creates and/or sets the value to "by Kwyjiboymi".
The virus checks the ActiveDocument codemodule name. If the name is not "SRAT", it removes all code from the module, changes the module name to "SRAT" and sets an infection pointer to the ActiveDocument. The same process is applied to the GlobalTemplate.
If infecting the GlobalTemplate, the virus creates the "Document_Close" subroutine and inserts its viral code into the subroutine. If infecting the ActiveDocument, the virus creates the "Document_Open" subroutine, inserts its viral code into the subroutine and saves the ActiveDocument.
This virus has two payloads. The first will activate if the day is equal to the exact second upon infection or the day is the 19th. The latter payload will only activate if the day is the 19th.
If the first payload is executed, the virus will type "is it safe? (y/n)" to the ActiveDocument, attempts to remove 1 to 20 directories from the Program Files directory and prints "(¥)" to the ActiveDocument for each attempted removal. It then types "your lucky number is " & and the number of directories it tried to remove & "!". It then types "by the way, each (¥) represents a dead directory! guess what "& the number of directories it tried to remove & " means! anyway, tell me about yourself.. (¥) (SRAT)".
If the second payload is executed, the virus opens a file named "srat.19" in the "Windows\Temp" directory; but if that fails, the virus will open it in "C:\Temp" directory instead and will loop infinitely while printing "(¥)" to the file.
This threat is detected as W97M/Assilem.gen. Disables Tools/Macro/Security and also Tools/Macro. Also disables the macro warning in Word97. If date is January 2000, the virus will change the registry setting