There are 4 variants:
When the virus is loaded into memory, it first infects C:\COMMAND.COM, followed by hooking INT 13h and 21h to infect any executable file by writing itself to the end of the file. It also infects the boot sector of floppy disks that are accessed.
The virus behaves stealthy so that there would have no observable size change on infected files.
The virus might not perform infection on every program execution, and it does not infect files containing digits or the following strings in their filename:
V TB SC F- GU
Additionally, the virus has bugs that may corrupt the files during infection.
The following table shows the memory usage of the variants.
|Variant||Memory usage in bytes|
When the infected system is loaded or an infected program is run on June 4th, the virus displays a green message at the center of the screen and hangs the system.
CriCri.4289 and 4300:
Cri-Cri ViRuS by Griyo/29A ...Tried, tested, not approved.
CriCri.4616 and 4690:
Cri-Cri ViRuS by Griyo96 ...Tried, tested, not approved.
In fact, this virus avoids most of the files in DOS system directory.
The Implant virus is related to the CriCri family.