FANDOM


Virus.DOS.Billiard.2658 is a dangerous memory resident and partially encrypted virus that runs on MS-DOS.

Behavior

When the virus is run, it decrypts its encrypted block of code by using INT 1 (tracing) tricks, and then hooks onto INT 9 (keyboard) and stays memory resident. On INT 9 calls the virus releases INT 9 and hooks onto 2Fh. On INT 2Fh calls the virus releases INT 2Fh and hooks onto INT 9 (as a result at any moment the virus hooks either INT 9 or INT 2Fh).

On INT 2Fh calls the virus also intercepts the INSTALLATION CHECK (AX=AE00h) command that is executed when a copy of COMMAND.COM processor is run, checks the command line. While the virus is in memory, and the user issues a DIR command, it searches and infects all the executable files during file listing command.

Also, the virus would try to hide itself from the infected files so that the change of file size may not be observable, as long as it stays memory resident.

Payload

On the 31st of any month the virus manifests itself by a video effect, it runs the symbols on the screen with ticking sounds emitted from the system speaker like playing billiard. After this effect, the program will run.

Videos

Virus.DOS.Billiard03:23

Virus.DOS.Billiard.2658 (Revisited)

Billiard virus review by Alles Sandro

Virus.DOS05:15

Virus.DOS.Billiard

Billiard virus review by danooct1

Virus.DOS.Billiard01:04

Virus.DOS.Billiard.2658

Virus.DOS.Billiard.2658 on Virtual Machine

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.