The virus speads by adding a copy of itself to ZIP and ARJ archives
as README.EXE file. When README.EXE is executed the virus searches
for more ZIP and ARJ archives on the disk and writes a copy of itself
to them.
The virus uses DOS commands 'DIR \*.ARJ /S /B >>ARJ.DAT' and 'DIR
\*.ZIP /S /B >>ZIP.DAT' to create lists of ZIP and ARJ archives that
are available on the hard disk. The virus uses archive names from
these list files to create a command line for calling the archivers:
for ARJ its: 'ARJ a <archive name> README.EXE>>NULL' and for PKZIP
its: 'PKZIP <archive name> README.EXE>>NULL'. The virus will not
infect archives if ARJ.EXE or PKZIP.EXE are not present.
To block output to the screen from ARJ and PKZIP the virus redirects
screen output to NULL device. The ARJ.DAT and ZIP.DAT files are
deleted before the virus returns control to the system by using DOS
commands: 'DEL ARJ.DAT>>NULL' and 'DEL ZIP.DAT>>NULL'.
When README.EXE is run, it displays several messages on the screen
like 'Decompressing video drivers' or 'Decompressing sound files' and
a progress indicator. During that time the virus infects all available
archives. When the virus returns control to the system it displays a
message:
![](/images/pixel.gif"){kind=tracking}
