When the virus is run, it overwrites the first uninfected DOS executable, by writing its code at the beginning of the file, the infected program will no longer function but spreading out the virus.
The virus does not infect COMMAND.COM and files that are smaller than the virus itself.
When an infected program is run at 12:00 or 17:00, the virus displays a message and hangs the machine.
It's 12:00, time for lunch!
It's 17:00, time to go home!
On Saturday 14th the virus drops a file called CLEAN.COM with a file size of 899 bytes.
The drop program CLEAN.COMEdit
This drop program can be considered as a virus. It acts slightly different from Lunch, instead of overwriting during execution, it hooks INT 21h and infects one DOS executable by writing itself at the beginning of the file before a program runs, and then return to DOS instead of running the program, the file size will increase by 897 bytes.
The program infected by CLEAN will no longer function. When an infected program is run and the system day is between July 1st and December 31st, the PC speaker will beep.
Unlike the Lunch virus, CLEAN does not check file size and it may infect COMMAND.COM and even itself.
Both Lunch and the drop program contain the following text strings:
cOcK!sUcKrI COMMANDCOM A:\XXX.COM A:\$#@!$#@!.COM ENGLISH SUCKERS DIE IN BUENOS AIRES! MADE IN ARGENTINA91
The virus contains the following text strings that the drop program does not:
COMMAND.COM *.cOm CLEAN.COM
The infected programs may contain different text strings, rather than "A:\XXX.COM", the file path of the program is shown (e.g. C:\DOS\SYS.COM instead of A:\XXX.COM in an infected copy of SYS.COM).