Virus.DOS.Beast

This is a dangerous stealth virus that affects COM files, writing itself at the

file beginning. A file is infected as it is executed or closed. The beginning of the file is saved at the first unused sector of the last cluster of the file.

? <----------- File --------------------------> ?
+————————-  ————————–+
? cluster   ? cluster   ? … ? cluster   ? cluster   ?
+————————-  ————————–+
^                                               ^  ^
+- Virus beginning  Saved beginning of file  —+  ?
Unused sector            ——+

The length of an infected file does not change. The time of the file last modification is set to 62 sec. On infecting, the interrupt vectors table (0000:0200 – 0000:03FF) is used by infector as a work area.

On its activation the virus enters one of the system buffers. Upon infecting files the virus actively uses non documented DOS area – System File Table. During a read of the infected file beginning it substitutes the true beginning. By these actions the “Beast” virus successfully masks its presence in the system.

The virus is very dangerous. This virus affects files with a .CO? extension. As an infected file is copied it may be lost (the last file cluster is not copied in full). The file will be lost if the disk has one sector on a cluster. The virus alters INT 21h, some of them contain the string “666”.