This file infector, a new variant of PE_KAMIKAZE.3228, has metamorphic capability, making detection by antivirus software more difficult.
Upon execution, it searches for the addresses of the following WIN32 Application Programming Interface (API) functions:
Then it checks the system time if it is December 7. When the system indicates that date, this virus overwrites all files in the Hard Drive C:\ with this string:
Then, the virus searches for EXE files in the current directory. It infects by encrypting a portion of the original codes of the infected file and overwrites these with its own virus body, together with the encrypted bodies of the infected file.
Since file sizes of programs infected by this virus do not increase, most of the infected program files do not function properly because some portion of the unencrypted host body has been overwritten by the virus code.
The time stamp of infected program files are modified to the time of infection.
In addition, the virus checks for the signature, 0xBA, in the OEM I.D. entry (offset 0x24) in the MZ header to prevent re-infection of program files.