There are 2 variants:
When the virus is loaded into memory, it infects first 4 uninfected executable in both DOS and EXE formats, i.e. 8 files, followed by hooking INT 21h and 7Eh to infect any executable that is run, plus 3 extra files, i.e. the virus infects 4 files on every run.
If the file to be run has been already infected, the virus searches for other 4 uninfected files in same format to infect.
The virus consumes about 8K in memory.
Both variants check and ignore files having any of the filenames:
COMMAND SCAN CLEAN NAV CPAV BOOTSAFE
This variant also ignores files having the filename:
This variant also ignores files having any of the filenames:
VSAFE MAVGUARD SHVGUARD VIRTEST VCARE DAILY DISKPART
The following table shows the memory usage of the variants.
|Variant||Memory usage in bytes|
Both variants activate on March 28th and December 20th.
When an infected program is run on any of these days, the virus corrupts the disk sectors and crash the system.
Both variants contain the encrypted internal text strings:
*.COM *.EXE 747 ME PERDI A ACCEPT, SOY UN PELOTUDO
Accept.3619 also contains the encrypted internal text strings:
Accept.3773 also contains the encrypted internal text strings: