When executed this trojan appends virus-like code to the end of
C:RARA.EXE and C:RARA.OVR files if they exist. If there are no such
files, they trojan looks for them in the directory that is pointed by “RA=” instruction in DOS Environment.
When “infected” files are executed, the trojan code hooks INT 21h, 60h and stays memory resident. It then monitors several blocks of system memory and looks for “TELEFOON” strings in there. If such string is found, the trojan patches some bytes in this b
While installing memory resident the trojan uses nonlegal tricks and in
some cases crashes the system.