Virus.Win9x.Begemot

Technical Details

This is a dangerous memory resident parasitic polymorphic Windows virus
about 8Kb in length. The virus installs itself into the Windows memory and
infects PE EXE files that are accessed.

The virus uses system calls that are valid under Win95/98 only, and can’t
spread under NT. The virus also has bugs, and often halts the system when
run. The virus uses several unusual routines in its code: it keeps its code
encrypted and compressed in infected files (while installing, it
decompresses it); infects RAR archives (adds infected BEER.EXE file to
archives); runs a thread that can communicate with an external module, which
controls the virus (for example, enables/disables infection routine).

The virus also looks for “AVP Monitor” and “Amon Antivirus Monitor” windows,
and closes them; deletes several anti-virus data files; and depending on the
system timer, displays a message.

The virus also contains the “copyright” text:

 Virus Win98.BeGemot by Benny/29A