Xandu.2385 works in DOS operating systems of version 5.0 and higher. It becomes memory resident at the top of system memory and uses interrupt 21. While installing memory resident the virus accesses Upper Memory as well as conventional one, then it hooks INT 21h and writes itself to the end of EXE files that are closed. While infecting a file it uses undocumented System File Tables and several undocumented DOS functions. While infecting the virus also creates the temporary file C:\BCDABKEH, infects, and then deletes that file. Depending on the current time and date it displays the messages:
XANDU Virus ! (C) 1993 By MTZ - Italy !