When the virus is loaded into memory, it first infects COMMAND.COM file and creates a fake COMMAND.COM containing the virus itself. After that, the fake COMMAND.COM will be started and becomes memory-resident, followed by the file being removed from disk.
After the TSR procedure, it hooks INT 21h and infects any DOS executable that is run.
The virus detects written protected disks by the read/write operation through INT 13h in the disk. The infection then removes the READ-ONLY attribute.
The virus behaves stealthily but the change of file size is still observable due to its variable infection size.
The TSR memory usage of the virus is 3,216 bytes.
The payload is similar to Excess. When an infected program is run on 15th of January, April, or August, the virus destroys the file allocation table, however places the original FAT into memory, followed by displaying a casino game, where the user is told the rules: If the player wins the FAT is restored, but if the player loses, either by using up all five chances or getting three "?", it will not be restored, thus the computer won't boot when rebooting. After that, it hangs the system.
If the user wins by drawing three "£" symbols (~17.2% overall chance), the virus displays the message:
B*****D ! You`re lucky this time - but for your own sake, now SWITCH OFF YOUR COMPUTER AND DON`T TURN IT ON TILL TOMORROW !!!
If the user draws three "?" symbols (~17.2% chance), the game terminates and display the message:
No F**kin` Chance; and I`m punishing you for trying to track me down !
If the user loses (by running out of credits, it displays the message:
HA HA !! You a*****e, you`ve lost: say Bye to your Balls ...
Foul words are not censored in the actual sample. Drawing three "¢" symbols does nothing.
The deleted fake COMMAND.COM can be found and restored by UNDELETE and has a size of 2,330 bytes. This is how antiviruses detected the infection size of this virus. The filename of this file is:
Note the space in the filename. The user cannot access it through DOS, but access is possible if Windows has been installed.
The virus contains the internal text strings:
*.COM C:\COMMAND.COM COMMAND .COM ????????COM