It infects the master boot record of the hard disk and executables. It ignores files with filenames that contain any of the following strings:
SCAN CLEAN FINDVIRU GUARD NOD VSAFE MSAV CHKDSK
After the installation of the virus, every time the user boots or reboots the computer, the virus loads and encrypts last 2 unencrypted cylinders. The encryption is done by bitwise XOR operation by a randomly generated key, which the decryption is to perform the same operation with same key again.
On access of these encrypted cylinders, the virus decrypts them, so that the user might not notice.
When the number of encrypted cylinders reaches the half of that in total and the system day is 4th, 8th, 10th, 14th, 18th, 20th, 24th, 28th and 30th in any month, the virus displays the message when the computer boots:
Dis is one half. Press any key to continue ...
Careless disinfection will result in data loss. Since the virus holds the keys for accessing these encrypted cylinders, if the user removes the virus without decrypting them, then those data might not be recovered forever.
It is also known as one of the first viruses to implement a technique of "patchy infection", introduced in Bomber.
This virus may be detected and infected by another virus, SSR.