FANDOM


Virus.DOS.Casino.2330 is a memory-resident parasitic virus on DOS.

Behavior

When the virus is loaded into memory, it first infects the COMMAND.COM file and creates a fake COMMAND.COM containing the virus itself. After that, the fake COMMAND.COM will be started and becomes memory-resident, followed by the file being removed from disk.

After the TSR procedure, it hooks INT 21h and infects any DOS executable that is run.

The virus detects written protected disks by the read/write operation through INT 13h in the disk. The infection then removes the READ-ONLY attribute.

The virus behaves stealthily but the change of file size is still observable due to its variable infection size.

Advanced details

The TSR memory usage of the virus is 3,216 bytes.

MD5 hash:

3468be4c2d90bd6f1c15314bc896f5e2

Payload

The payload is similar to Excess. When an infected program is run on 15th of January, April, or August, the virus destroys the file allocation table, however places the original FAT into memory, followed by displaying a casino game, where the user is told the rules: If the player wins the FAT is restored, but if the player loses, either by using up all five chances or getting three "?", it will not be restored, thus the computer won't boot when rebooting. After that, it hangs the system.

If the user wins by drawing three "£" symbols (~17.2% overall chance), the virus displays the message:

B*****D ! You`re lucky this time - but for your own sake, now
SWITCH OFF YOUR COMPUTER AND DON`T TURN IT ON TILL TOMORROW !!!

If the user draws three "?" symbols (~17.2% chance), the game terminates and display the message:

No F**kin` Chance; and I`m punishing you for trying to track me down !

If the user loses (by running out of credits, it displays the message:

HA HA !! You a*****e, you`ve lost: say Bye to your Balls ...

Foul words are not censored in the actual sample. Drawing three "¢" symbols does nothing.

Other details

The deleted fake COMMAND.COM can be found and restored by UNDELETE and has a size of 2,330 bytes. This is how antiviruses detected the infection size of this virus. The filename of this file is:

COMMAND .COM

Note the space in the filename. The user cannot access it through DOS, but access is possible if Windows has been installed.

The virus contains the internal text strings:

*.COM
C:\COMMAND.COM
COMMAND
.COM
????????COM

Videos

Virus.DOS.Casino

Virus.DOS.Casino.2330

In Action..

In Action... Casino de Malte Virus

Trivia

  • This virus is the subject of a template on this wiki, which is shown below.