Casino | |
---|---|
Type | File virus |
Creator | |
Date Discovered | April 1991 |
Place of Origin | Malta |
Source Language | |
Platform | DOS |
File Type(s) | .com |
Infection Length | 2,332 - 2,346 bytes |
Reported Costs |
Casino is a DOS virus notable for its slot machine game and potentially destructive behavior. It appeared in Malta in April of 1991 and likely originated there.
Behavior
When a file infected with Casino is executed on a previously clean system, it becomes memory resident. It takes 64 bytes at the top of system memory plus aother 3,152 in low system memory for 3,216 bytes in total. Interrupts 00, 23, and 30 will point to the virus in the lower system memory. After becoming resident, the virus infects COMMAND.COM in the C: drive root directory.
After Casino becomes memory resident, there are three events that can cause infection of other files. When a "dir" command is issued, a single .com file in the current working directory will be infected. If an infected file is executed, it will infect another file. It will also infect any .com programs that are opened for any reason. While the virus is in memory, increases to the file size, which are between 2,332 and 2,346 bytes will be mostly hidden and the time and date stamp on the files will not change. The virus however may cause the files to show an increase in anywhere from 1 to 48 bytes, though it is very rare that it is over 16.
If the user runs the CHKDSK program while Casino is resident, it reports file allocation errors for each infected program. If the user runs the /F option (for fixing errors in the DOS file system), the programs will be corrupted.
Payload
Casino has a payload that activates on the 15th of the months January, April, and August. It displays the following message:
The Casino virus in action |
---|
"DISK DESTROYER . A SOUVENIR OF MALTA
I have just DESTROYED the FAT on your Disk!!
However, I have a copy in RAM, and I`m giving you a last chance
to restore your precious data.
WARNING: IF YOU RESET NOW, ALL YOUR DATA WILL BE LOST - FOREVER!!
Your Data depends on a game of JACKPOT
CASINO DE MALTE JACKPOT"
It displays an ASCII slot machine with 5 credits. The user can press a key to run the slot machine 5 times for a chance to save your system from being damaged, however it never actually allows the user to "win".
If the user loses, it displays a message across the middle of the screen saying "HA HA !! You asshole, you've lost: say Bye to your Balls …".
In some tests, the virus corrupts the file allocation table regardless of whether the user wins or loses. In others, it does not corrupt the FAT even if the user loses on all 5 tries.
Variants
Casino.B corrupts the file allocation table before starting the slot game. It only hooks interrupt 21 in memory.
Casino.C appeared in May of 1992. This version actually allows the user to win the game and will not corrupt the file allocation table when the user wins. If the user wins, it displays the following message:
"BASTARD ! You're lucky this time - but for your own sake now
SWITCH OFF YOUR COMPUTER AND DON`TURN IT ON TILL TOMORROW!!!"
The system will hang after this message.
Effects
Casino is not believed to have been widespread. It is unlikely it caused major damage. It was later regarded with nostalgia for a time when viruses were funny and creative.
Sources
Patricia Hoffman, Online VSUM, Casino Virus.
Andrada Fiscutean. CSO Online, Hunting vintage MS-DOS viruses from Cuba to Pakistan. 24-JUL-2019