When the virus is run, it overwrites every EXE executable file in current directory, followed by displaying the following text:
virus "????" Dead_Byte
The question marks may be characters in different language, as they are unreadable in English system.
After infection the virus deletes INSTALL.EXE from current directory, if any.
Additionally, the virus would try to access any ARJ or ZIP files located in the same directory. If ARJ.EXE and/or PKZIP.EXE exist, the virus would access them by running ARJ and/or PKZIP, after that the virus would overwrite ARJ.EXE and PKZIP.EXE by the viral code. Otherwise the system would return the message claim the command(s) is(are) invalid during virus' runtime.
After overwriting ARJ.EXE and PKZIP.EXE, on running any infected program the virus will no longer output the text, but a noticeable delay and constant disk access can be observed.
The virus uses file replacement overwriting technique for infection, so that files infected by it will have a size of 5,952 bytes, no matter the original program is larger or smaller than the virus itself.
It is not possible to recover the overwritten files and they must be replaced by clean copies.
The virus contains the internal text strings:
install.exe *.arj *.exe /C arj a -y install.exe >NUL COMSPEC *.zip /C pkzip