When Flip is introduced through an infected file, the virus checks if there is already a copy of itself in memory and that the memory is not full. If it is, the virus quits running. If not, it becomes memory resident. The virus then checks if the master boot record has been infected, and if it is not, infects it. The virus appends its code to any .com or .exe files that are executed. Files with an .ovl extension will also be infected if used by a file that becomes inrected.
Flip is particularly interesting with regard to how it stores the rest of its master boot record code. Most boot sector viruses store their code in an area that it later marks as a bad sector. This virus modifies a part of the partition table that points to the physical limit of the disk, subtracting 6 from it and places its code in those six unreachable sectors. The first sector will be a modified but uninfected copy of the partition table.
It will not infect .com files that are over 62,856 bytes. The .com files that are infected will not infect any further files. When an infected .com file is run, the virus will be decrypted and a few instructions are executed, but control returns to the host program before the virus can infect anything. It will also not infect when executed from the boot sector.
On the second of any month between 16:00 and 16:59, it flips the display horizontally using a modified font that shows characters backwards. It will only work on monitors with EGA or VGA screens.
Code written to files will be encrypted, while code written to the master boot record is not.
The virus contains encrypted text that is never displayed:
- Flip.Raistlin- formats disk sectors and displays the text "RAISTLIN I from Spain".
These are mostly similar to the original.
- Flip.2153 (two other variants)