When the virus is loaded into memory, it first infects 3 first uninfected .EXE executable files, followed by hooking INT 21h to infect other files. When the user runs a file, the virus infects first 2 uninfected files, so that the file that the user just run might not be infected. The timestamp of the infected files will be changed to the time of infection.
Not every file would be infected by the virus, and the infection size varies between files.
After these infections, a counter within the virus starts. However, this counter is never checked, so the virus will not activate.
The virus ties itself to the operating system during installation so that it cannot be discovered by running MEM, but the total free system memory will decrease by about 2K.
During infection, the virus also changes the field 0Ch in the MZ header to FFAAh. The virus identifies itself from memory by using the interrupt INT 21, AX=3521h which it has hooked. All the checks work correctly and the virus won't infect files multiple times and it installs itself to memory only once.
The TSR memory usage of the virus is 2,064 bytes.
The virus contains the internal text strings:
Additionally, it also contains the filename of the infected file.