It is a dangerous stealth macro virus. It contains ten macros in one module "TJ": AutoOpen, LAYLA, AutoExec, AutoExit, AutoClose, FileClose, ToolsMacro, ToolsCustomize, FileTemplates, ViewVBCode.
It infects the global macros area on opening an infected document (AutoOpen) and infects other documents on opening and closing (AutoOpen, AutoClose).
The virus turns off the Word virus protection (the VirusProtection option) and deletes "NewMacros" module that contains user defined macros. It also disables the Tools/Macro, Tools/Customize menus (stealth). On opening the Visual Basic editor the virus closes Word without saving changes in documents.
On 27th or 29th of any month on closing documents the virus runs its payload procedure. On opening Word at these days the virus displays in the status bar the text:
Excellent dayall for me... :)
The payload procedure is also run on opening document at 27th or 29th second of minute. This procedure replaces all digits by text "Tj" or "Layla" depends on day of month. Also it replaces every 9th character in document by Aries sign.
On exiting Word the virus searches in subdirectories of "c:", "c:program files", "d:" and "e:" for files by wildcard "*d*r*w*.*" (looking for DrWeb anti-virus) and deletes all files in directories where suitable files were found. Then it searches for "*a*v*p*.*" and deletes "*.avc" and "*.key" files (AVP anti-virus databases and key file). As a result of quite scrappy wildcards the virus can delete many other files.
The virus also changes following information:
UserName = ""
UserInitials = "TJ_LAYLA"
UserAddress = ""