Casino.2330 is a stealth, memory resident, file infecting virus. It infects .COM files, including COMMAND.COM.
Upon infection, Casino.2330 becomes memory resident at the top of system memory.
Once Casino.2330 is memory resident, it immediately infects the copy of COMMAND.COM located in the C: drive root directory. It infects .COM files when any of three events occur. If the system user issues a DIR command, or a file does an internal DIR command, one .COM file in the current directory is infected. Additionally, if the system user executes an infected file, a .COM file becomes infected. Lastly, Casino infects .COM files that are opened by another file.
The Casino virus was submitted in April, 1991 by David Chess of IBM.
Casino was first isolated in Malta. This virus is a memory resident
infector of .COM files, including COMMAND.COM.
The first time a program infected with Casino is executed, Casino
will install itself memory resident at the top of system memory.
Total system and available free memory, as indicated by the DOS
CHKDSK program will decrease by 37,568 to 37,632 bytes. 3,152 bytes
in low system memory will also be used by the virus, and interrupts
00, 23, and 30 will point to this area. After Casino is resident,
it will then immediately infect COMMAND.COM located in the C: drive
After Casino is memory resident, it will infect .COM programs when
any of three events occur. If the system user issues a DIR command,
or a program does an internal DIR command, one .COM file in the
current directory will be infected. Additionally, if the system
user executes an infected program, a .COM program will become
infected. Lastly, Casino will infect .COM programs that are opened
by another program for any reason.
Programs infected with Casino will have a file length increase of
2,332 to 2,346 bytes. The file length increase, however, is mostly
hidden if the virus is memory resident. With the virus memory
resident, infected files will have a file length increase of 1 to 16
bytes, but occasionally one may show a file length increase of up to
48 bytes. The virus does not alter the file date and time in the
If Casino is memory resident and the DOS CHKDSK program is executed,
file allocation errors will be returned for each infected program.
If the CHKDSK/F option is used, program corruption will occur.
Casino activates on January 15, April 15, and August 15, when it
will play a slot machine game with the system user, with the
following message being displayed:
"DISK DESTROYER . A SOUVENIR OF MALTA
I have just DESTROYED the FAT on your Disk!!
However, I have a copy in RAM, and I``m giving you a last chance
to restore your precious data.
WARNING: IF YOU RESET NOW, ALL YOUR DATA WILL BE LOST - FOREVER!!
Your Data depends on a game of JACKPOT
CASINO DE MALTE JACKPOT"
If the system user looses the game, Casino will trash the
file allocation table.
Known variant(s) of Casino are: