Upon infection, ABC becomes memory-resident at the top of system memory but below the 640 K DOS boundary and hooks interrupts 16 and 1C. The copy of command.com pointed to by the COMSPEC environment variable may also be altered. ABC infects/alters COM and EXE files as they are executed.
After infection, total system memory, as measured by the DOS CHKDSK program, will not be altered, but available free memory will have decreased by approximately 8,960 bytes. Altered, but not infected, COM or EXE files will have 4 to 30 bytes added to their length. Infected EXE files (COM files are never infected) have a file length increase of 2,952 to 2,972 bytes, and ABC is located at the end of the infected EXE. An altered/infected file's date and time in the DOS disk directory listing may have been updated to the current system date and time when the file was altered/infected.
No text strings are visible within the viral code in infected EXE files, but the following text strings are encrypted within the initial copy of the ABC virus:
- Minsk 8.01.92
ABC causes keystrokes on the compromised machine to be repeated. It seems double-letter combinations trigger this behavior, e.g. "book" becomes "boook [ sic ]". System hangs may also occur when some programs are executed, a likely side effect of ABC-induced corruption.
The ABC virus is not to be confused with the ABC keylogger trojan, written in 2004 by Jan ten Hove.