This is a very dangerous memory resident parasitic Win16 virus. It infects Win16 NE EXE files (NewExe) and DOS EXE files. It is polymorphic in both Win16 NE and DOS EXE files. While infecting NE files, the virus creates a new section at the end of a file, encrypts and writes its code there, then modifies the necessary NE header fields. While infecting DOS EXE files, the virus writes its code to the end of the file, and modifies the DOS EXE header. The virus infection routine is buggy, and in some cases corrupts NE EXE files.
While infecting a file, the virus also checks the system date and time, and starting from the 16th of any month, depending on the system seconds counter, tries to erase data on the A: drive.
To stay "memory resident," the virus drops the VxD module that is the main part of its code. This module is dropped to the Windows system directory with the WINP16.386 name, and the virus then registers it in the SYSTEM.INI file in the [386Enh] section to force Windows to load a virus' VxD module upon each booting. The modified entry in SYSTEM.INI file appears as follows:
When Windows loads this VxD module, the virus memory installation routine takes control. It hooks the INT 21h chain (DOS functions), intercepts file execution and upon any file start, searches for EXE files in the current directory and infects them. The virus checks the file names and does not infect the following files: APV.EXE (mistyped AVP.EXE?), SCAN*.EXE, TBAV*.EXE, DRWE*.EXE, AIDS*.EXE, KRNL*.EXE, WIN3*.EXE, and VICT*.EXE.
The virus' "resident" mode works under both Win16 and Win9x, so the virus is able to infect not only Win16 system, but Win9x also, and affect NE EXE files in Win9x directories.