Fandom

Malware Wiki

Casino

1,335pages on
this wiki
Add New Page
Comment1 Share

Virus.DOS.Casino.2330 is a memory resident parasitic virus on DOS.

Behavior

When the virus is loaded into memory, it first infects COMMAND.COM and creates a pseudo-COMMAND.COM containing the virus itself. After that pseudo-COMMAND.COM will be started and becomes memory resident, and the file is removed from disk.

After the TSR procedure, it hooks INT 21h and infects DOS executable that is run.

The virus detects written protected disks by the read/write operation through INT 13h in the disk. The infection that removes the READ-ONLY attribute.

The virus behaves stealthy but the change of file size is still observable due to its variable infection size.

Memory usage

The exact memory usage is 3,216 bytes.

Payload

The payload is similar to Excess. When an infected program is run on 15th of January, April, or August, the virus destroys the file allocation table (but failed), and puts the original FAT into memory, followed by a casino game to be displayed. If the player wins the FAT is restored, but if the player loses, either by using up all five chances or getting three "?", it will not be restored, thus the computer won't boot when rebooting.

If the user wins by drawing three "£" symbols (~17.2% overall chance), the virus displays the message:

B*****D ! You`re lucky this time - but for your own sake, now
SWITCH OFF YOUR COMPUTER AND DON`T TURN IT ON TILL TOMORROW !!!

If the user draws three "?" symbols (~17.2% chance), the game terminates and display the message:

No F**kin` Chance; and I`m punishing you for trying to track me down !

If the user loses (by running out of credits, it displays the message:

HA HA !! You a*****e, you`ve lost: say Bye to your Balls ...

Foul words are not censored in the actual sample. Drawing three "¢" symbols does nothing.

And then it hangs the system.

Other details

The delected pseudo-COMMAND.COM can be found and restored by UNDELETE, having a size of 2,330 bytes, this is how the antiviruses detected the infection size of this virus. The filename of this file is:

COMMAND .COM

There is a space in the filename, the user cannot access it under DOS, but possible if Windows has been installed.

The virus contains the internal text strings:

*.COM
C:\COMMAND.COM
COMMAND
.COM
????????COM

Videos

Virus.DOS.Casino00:29

Virus.DOS.Casino.2330

In Action..03:02

In Action... Casino de Malte Virus

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.