There are 4 variants:
The virus infects MBRs of hard disks and executables that are run. After infecting MBR the virus encrypts its contents so the logical disks are not accessible after booting from system diskette. The virus uses anti-debugging tricks, it is polymorphic in files as well as in infected MBR. The virus has many bugs and often corrupts files and MBR while infecting them.
The virus has quite a complex way of infection. It behaves differently under different DOS versions. Under DOS 7+ (Windows) the virus infects EXE files only and does not touch MBR and COM files. Upon infection the virus encrypts itself and writes its body to the end of infected files. The length of infected files increases by 8542 bytes.
Under DOS 6.22 and earlier DOS versions the virus infects any executable and also the MBR. MBR is infected when the first infected file is executed. While infecting EXE files the virus looks for 'cavities' (areas of constant data) 8030 bytes long and writes itself there. In this case the file length is not increased. When infecting COM files the virus writes itself to the end of the file. To get control when the infected file is executed, the virus either uses a standard method - puts a jump to its body to the beginning of infected program, or inserts a jump somewhere in the middle of the file. In the second case the virus uses simple encryption instead of its polymorphic engine. The length of infected file increases by 8,030 bytes.
Under DOS 6 the virus also uses emulator to get DOS INT 21h handler address, and modifies this address so that it points to virus INT 21h handler.
On April 29th the virus sets graphics display mode, shows the below given text and imitates a snowfall.
[Ithaqua] virus by Wintermute/29A
The virus contains the internal text strings:
I'm Ithaqua,... that who walks over the wind Welcome to my world, adventurer. Follow me. Love. Hate. I'll be awaiting you on the dark side, watching the nonsense.