It tries to delete the critical Win.com file. However, due to the fact it only checks for the "WIN" directory, it will usually fail to do its payload otherwise.
When the document opens, it will talk about an upcoming concert. However, a passage of Basic code has been attached and has been activated. On the 29th of December, the worm is supposed to delete Win.com. However, it only checks if the directory is called "WIN" to delete Win.com from there. If it does not find it, this fails with a run-time error. Through correction to the right directory if it is not named "WIN", the user can see the payload if it does not work.
The worm will display a message box "You have been surrounded". Attempting to restart will in turn destroy Windows 9x (Windows 95 and 98) and make it refuse to boot. The user would have to replace Win.com to restore function.
This virus has no effect on Windows NT based operating systems (like Windows NT 4.0 and 2000) (except deleting Win.com if it is found. However, it is not a startup file on Windows NT and the computer will still boot) and seems to do little on Windows ME (as win.com is no longer the startup file for Windows)