Upon execution of this virus, it searches for the addresses of the following WIN32 Application Programming Interface (API) functions:
On the system date, December 7, it overwrites all files in the Drive C:\ with this text string:
Then, it searches for EXE files in the current directory. To infect, it encrypts a portion of the original codes of the infected file and overwrites these with its virus body, together with the encrypted bodies of the target file.
Since file sizes of programs infected by this virus do not increase, most of the infected program files do not function properly because some portion of the unencrypted host body has been overwritten by the virus code.
The time stamp of infected program files are modified to the time of infection.
In addition, the virus checks for the signature 0xBA in the OEM I.D. entry (offset 0x24) in the MZ header to prevent re-infection of program files.