| Description:
|
Details
Macro.Word97.Jim.b
Upon document closing, the virus checks running applications and if one of the following applications is found: Outlook, Internet Explorer or ICQ, the virus collects information about a computer and tries to send it to one of the FTP servers on the Internet.
The collected information includes:
First found .PWL file on drive C:
User name
Time document infected
Application
Country code
Free disk space
Generation of virus
Processor type
Operating system
The virus also searches for a Pegasus Mail application, and if it find one, it creates a message with an attached infected document.
If the MIRC client is installed on a computer, the virus drops a script that instructs MIRC to send an infected document to every computer joined to the same IRC channel as the infected computer.
The virus has a payload procedure that is triggered on second day of the month. This procedure inserts a text into the active document:
[Mr Jim/SeptiC/TI] - Do you have what it takes to become an international
bussiness man!?
[Mr Jim]/SeptiC/TI '99 |
