The virus infects the master boot record of the hard disk and executables. It ignores files with filenames that contain any of the following strings:
SCAN CLEAN FINDVIRU GUARD NOD VSAFE MSAV CHKDSK
Every time the user boots or reboots the computer, the virus loads and encrypts last two unencrypted cylinders. The encryption is done by bitwise XOR operation by a randomly generated key, which the decryption is to perform the same operation with same key again.
On access of these encrypted cylinders, the virus decrypts them so that the user will not notice their files being encrypted.
When the number of encrypted cylinders reaches the half of that in total and the system day is 4th, 8th, 10th, 14th, 18th, 20th, 24th, 28th and 30th in any month, the virus displays the message when the computer boots:
Dis is one half. Press any key to continue ...
Careless disinfection will result in data loss. Since the virus holds the keys for accessing these encrypted cylinders, removing the virus without decrypting them may end up in the user keeping their infected files encrypted permanently.
It is also known as one of the first viruses to implement a technique of "patchy infection", introduced in Bomber.
This virus may be detected and infected by another virus, SSR.