When the virus is run, it decrypts its encrypted block of code by using INT 1 (tracing) tricks, and then hooks onto INT 9 (keyboard) and stays memory resident. On INT 9 calls the virus releases INT 9 and hooks onto 2Fh. On INT 2Fh calls the virus releases INT 2Fh and hooks onto INT 9 (as a result at any moment the virus hooks either INT 9 or INT 2Fh).
On INT 2Fh calls the virus also intercepts the INSTALLATION CHECK (AX=AE00h) command that is executed when a copy of COMMAND.COM processor is run, checks the command line, and if command line begins with "DIR" string, the virus searches for executables and writes itself to the end of the file. While working the DIR commands the virus temporarily hooks onto INT 21h and "decreases" the length of infected files when they are accessed by FindFirst/Next DOS functions.
On the 31st of any month the virus manifests itself by a video effect, it runs the symbols on the screen with ticking sounds emitted from the system speaker like playing billiard. After this effect, the program will run.