When the virus is loaded into memory, it first infects COMMAND.COM and creates a pseudo-COMMAND.COM containing the virus itself. After that pseudo-COMMAND.COM will be started and becomes memory resident, and the file is removed from disk.
After the TSR procedure, it hooks INT 21h and infects DOS executable that is run.
The virus detects written protected disks by the read/write operation through INT 13h in the disk. The infection that removes the READ-ONLY attribute.
The virus behaves stealthy but the change of file size is still observable due to its variable infection size.
The exact memory usage is 3,216 bytes.
The payload is similar to Excess. When an infected program is run on 15th of January, April, or August, the virus destroys the file allocation table (but failed), and puts the original FAT into memory, followed by a casino game to be displayed. If the player wins the FAT is restored, but if the player loses, it will not be restored, thus the computer won't boot when rebooting.
If the user wins, the virus displays the message:
B*****D ! You`re lucky this time - but for your own sake, now SWITCH OFF YOUR COMPUTER AND DON`T TURN IT ON TILL TOMORROW !!!
If the user draws three "?" symbol, the game terminates and display the message:
No F**kin` Chance; and I`m punishing you for trying to track me down !
If the user loses, it displays the message:
HA HA !! You a*****e, you`ve lost: say Bye to your Balls ...
Foul words are not censored in the actual sample.
And then it hangs the system.
The delected pseudo-COMMAND.COM can be found and restored by UNDELETE, having a size of 2,330 bytes, this is how the antiviruses detected the infection size of this virus. The filename of this file is:
There is a space in the filename, the user cannot access it under DOS, but possible if Windows has been installed.
The virus contains the internal text strings:
*.COM C:\COMMAND.COM COMMAND .COM ????????COM