When the virus is loaded into memory, it hooks INT 21h and 25h, and writes itself to the beginning of executables that are accessed. While infecting, the virus encrypts the original beginning of the file.
On June 5 and 21, the virus disables the FindFirst DOS call while searching for files on floppy disks. As a result, DOS shows nothing on them.
On Saturdays in June, the virus overwrites .PAS and .CPP files with the text:
There is nothing in the world that I ever wanted more than to never feel breaking apart all my programs again.
In July the virus displays a video effect displaying the sun, sea, beach and a moving yacht, with the text:
BСЕ НА МОРЕ !!!
Translation (from Russian):
LET'S GO TO SEA !!!
When this effect is run, the virus encrypts the disk sectors.
The virus contains the encrypted internal text strings:
COMMAND.COM .COM.EXE.PAS.CPP I`m the Ghost V1.2. Check. Your move, Mr.AntiVirus ! My author`s coordinates are:Sun system, Earth, Europe, Russi... 2B continued... The more we know,the less we show.
Securelist (Kaspersky Labs), Virus.DOS.Marine.5000