When the virus is loaded into memory, it first infects COMMAND.COM file and creates a pseudo-COMMAND.COM containing the virus itself. After that pseudo-COMMAND.COM will be started and becomes memory resident, followed by the file is being removed from disk.
After the TSR procedure, it hooks INT 21h and infects DOS executable that is run.
The virus detects written protected disks by the read/write operation through INT 13h in the disk. The infection that removes the READ-ONLY attribute.
The virus behaves stealthy but the change of file size is still observable due to its variable infection size.
The TSR memory usage of the virus is 3,216 bytes.
The payload is similar to Excess. When an infected program is run on 15th of January, April, or August, the virus destroys the file allocation table but fails, putting the original FAT into memory, followed by a casino game to be displayed. If the player wins the FAT is restored, but if the player loses, either by using up all five chances or getting three "?", it will not be restored, thus the computer won't boot when rebooting. After that, it hangs the system.
If the user wins by drawing three "£" symbols (~17.2% overall chance), the virus displays the message:
B*****D ! You`re lucky this time - but for your own sake, now SWITCH OFF YOUR COMPUTER AND DON`T TURN IT ON TILL TOMORROW !!!
If the user draws three "?" symbols (~17.2% chance), the game terminates and display the message:
No F**kin` Chance; and I`m punishing you for trying to track me down !
If the user loses (by running out of credits, it displays the message:
HA HA !! You a*****e, you`ve lost: say Bye to your Balls ...
Foul words are not censored in the actual sample. Drawing three "¢" symbols does nothing.
The delected pseudo-COMMAND.COM can be found and restored by UNDELETE, having a size of 2,330 bytes, this is how the antiviruses detected the infection size of this virus. The filename of this file is:
There is a space in the filename, the user cannot access it under DOS, but possible if Windows has been installed.
The virus contains the internal text strings:
*.COM C:\COMMAND.COM COMMAND .COM ????????COM