The Bacros virus seems to have come from Finland and has several payloads. It runs on Windows NT based systems and on Microsoft Word.
It makes four copies of itself in the Windows system folder:
It modifies the registry so it is run on startup.
It also drops an infected Word Document to the root directory of the C: drive:
When an infected computer is booted on the 10th, 20th, or 30th of any month, the virus will launch the WordInfo.doc file it dropped in the system folder. On the 6th of any month, Bacros types "I, Madman" into the active Word Document and changes the application user name to "ANCIENT."
On any other day, the virus will spread to CD-ROMs by adding an autorun.inf script and by dropping a copy of itself on the CD-ROM, if it has access to it.
When an infected computer is booted on the 1st of any month, Bacros disaplays a fake error message and replaces all .GIF images it can find with a small one with the text "KUOLE JEHOVA." In Finland, this means "Die Jehovah."
When an infected computer is booted on the 2nd of any month, Bacros will display the same error message and run another spreading routine. It replaces all .TXT files on the computer with itself and creates a backup. The backup can only be viewed if the "Show Hidden Files and Folders" setting is checked. When that copy of Bacros is opened, it will open the backup. When it is exchanged with a friend, the user can accidentally send the virus instead of the text document. If they open it without an antivirus program, their computer will get infected and the text file will not be displayed. Instead, Bacros will open Notepad with a file called "ReadMy.txt." ReadMy.txt contains the name of the file repeated several times.
When an infected computer is booted on December 6th (Finland's Independence Day), the virus will change the desktop background to a small picture of the flag of Finland.
When an infected computer is booted on the first day of Christmas (December 25th), Bacros will delete all files it can find.