Beast also known as 666, Number of the Beast, 512, and Stealth is a memory resident parasitic DOS .com virus by Dark Avenger. It had a number of innovative features and could potentially hitch a ride on antivirus software. It relies on the fact that most DOS disks will be formatted with cluster sizes of 2,048 bytes and that there will be sections of unused space.

Behavior

Execution

Beast checks the dos version to see if it is *.30, and if so calls a little known and undocumented DOS function, which swaps out the original INT 13H entry point (usually the ROM INT 13H routine). It pushes swapped out address onto the stack and calls the function again to swap the vectors back. This restores normal operation but leaves the required address on the stack. This address is popped from the stack to take the place of the INT 13H vector collected from page zero.

If the minor DOS version is not .30 it does not use the swapping function and processing continues with the page zero DOS INT 13H vector. The swapping process recovers an entry point into the disk I/O services which is not usually monitored by antivirus software. However, it is possible to hook monitoring software into this function and also to monitor the swap function in order to intercept this virus installation routine.

Beast continues installation by storing the relevant INT 13H vector within its code segment and then collecting the INT 21H vector by direct access to page zero of RAM. The virus checks offset portion of the INT 21H vector for a value of 121H and if found, checks the indicated segment for its own presence. If Beast is resident, processing branches to the portion of the code which is processed after the virus has been made resident. If the virus is not resident, the code locates the address of the first Disk I/O buffer which DOS uses. These
buffers are exactly 512 bytes long and usually have 16 bytes as a header so there is enough space for Beast's code to be installed.

Once the virus has been moved into the buffer, its address is removed from the Disk I/O chain and the INT 21H vector is modified to point to the interception routine within the newly re-located virus code. The code then overwrites a small section of the transient portion of the command interpreter. This is to ensure that
when the program terminates, COMMAND.COM will be reloaded and infected. Beast attempts to infect COMMAND.COM the very first time it is executed.

Beast then goes on to check whether the current program is a command process (such as COMMAND.COM) or is
running as a child of DOS. If it is a command process, processing returns to DOS and since the virus code
is now resident, the reloading of COMMAND.COM will ensure that it is infected. When an infected program is run for the first time on a clean system, the host program itself will not be executed, but will be on the second run. All program executions, after the parent/child check, causes the data in the original first sector to load into the appropriate area, overwriting the recently loaded copy of the virus.

The method of accessing beyond the end of the file involves direct manipulation of the DOS System File Table (SFT). This technique, used in several places throughout the code, allows the opening of a file for READ access, changing the SFT to allow WRITE access. This prevents it from triggering antivirus software. The file length and date/time fields are also modifiable. However, during program execution, only the file length field is adjusted; by adding 512 so that the original data can be read from the disk.

Read Function

Beast's READ intercept uses a method similar to the Brain virus to hide itself. When it receives a READ
requests, the current position of the file access pointer is noted and then the READ performs correctly. Then it checks the file access pointer to see if the read request was for a portion of the file within the first sector. If it wasn’t, processing is returned to the caller. If it was, it checks the file time stamp field for the value 1FH (31 decimal) in the seconds bits. This is equivalent to a setting of 62 seconds and is one of the markers used by Beast to indicate an infected file, quite similar to Vienna.

If the file is marked as infected, the SFT is accessed again to modify the file size field and the original first sector is read from the last cluster. Then the file size field is restored to its former value before processing returns to the caller. This way Beast conceals itself by supplying the caller with the correct data rather than the virus cdfode. This means that simple scanning programs will not detect the virus code on an infected system. This emphasises the absolute necessity of ensuring that the system is ‘clean’ before searching for virus code on disk.

LOAD & EXECUTE and CLOSE Functions

The intercept routine for these functions is substantially the same except that when closing a file, the file handle is first duplicated and subsequent operations are carried out on the duplicate handle. Loading a file for execution results in the file being opened for the virus's operations. In both cases the file handle being used is closed before the original request is allowed to continue normally using the original file handle. The interception checks the file for existing infection and if it is not infected, checks its suitability for infection by determining unused file space in the final cluster.

File Infection

After the routine opens a file handle for the target, the file position pointer is set to zero and the SFT access privilege field is changed to allow write access. Then the vector for INT 13H is changed to the one found during the installation phase. It is unlikely that this vector will be monitored by anti-virus software. Beast does not use INT 13H directly, but INT 21H functions associated with file I/O use it and could alert monitoring software.

The infection check routine also re-vectors INT 24H (Fatal Error Handler) to point to an IRET instruction within the code. This disables error reporting. Once these two interrupt vectors are modified, the code checks the time stamp field for the 62 second marker. If this marker is not found the file is tested for extension ‘CO’, otherwise the extension check is by-passed. From this point on, if a check fails, the handle is closed and processing is return to continue the original INT 21H function call.

The next check ensures that the target file is between 512 and 65,023 bytes long. A further test looks at the SYSTEM attribute setting of the target file and, if set, rejects it. The final check before examining the file for existing infection involves testing the file length against the number of sectors per cluster and calculating unused space available in the final cluster.

Once the target file has passed all these checks, the first 512 bytes of the file are read into a buffer. The virus uses the high part of the Interrupt Vector Table as a buffer, overwriting all Interrupt vectors above 7FH. This is a flaw within the virus since an increasing number of machines, most network software and several high-level languages use these interrupts and the destruction of the vectors will cause system failure and immediate alarm.

Once the start of the file has been read, Beast checks the file for a previous infection. If infected, it sets the time stamp field with the 62 second marker and closes the file. If the file is not infected, it appends the contents of the buffer to the end of the file and writes the virus to the first sector. The file size field is modified during this process but restored afterwards to leave the appended code outside the size setting. The date/time field is unchanged, save for the 62 seconds as a result of direct access to the flags field of the SFT. This ensures that the visible directory entry for the file remains unchanged.

Systems infected by Beast often experience hangs and crashes for both individual programs and the whole system. Running "chkdsk /f" will damage files further when it adjusts the file allocation table because they will report the now incorrect size.

Spreading Through the Antivirus Program

Programs that rely on DOS file I/O can have problems while scanning for the virus. Once scanning is complete the file is closed and, if a virus of this type is present, becomes infected. This way, the antivirus program can end up spreading the virus to the entire system in one scan. This can be averted by running the antivirus program from write-protected media, such as optical media or (more likely in 1989) a floppy disk with the write-protect tab set.

Variants

There are several variants of Beast, mostly similar to the original. Beast.B is relatively similar to the original, however the DOS version check as well as the "666" are absent. Beast.D does not check to see if a file has the System Attribute on it before infecting it.

Beast.E will use memory above 640k, such as video card memory. It will cause the chkdsk program to report a 55,104 byte decrease in total system memory. It also omits the "666" signature.

Beast.F will not show any decrease in system memory while the virus is resident. This version does contain the signature "666" at offset 1FD.

Origin

Beast was coded in Assembly by Dark Avenger in fall of 1989. It was isolated by Vesselin Bontchev in November of that year. The virus gets its name from the "666" that can be found at the end of the virus body it uses to check for a previous infection. It was called one of the "Bulgarian 50" viruses, as that many had come out of Bulgaria by May of 1990.

When Beast appeared, researchers noted several new and rare features of the virus. The stealth capabilities and use of free space had never been seen in previous viruses. While use of the LOAD & EXECUTE function for file infection was common for virus writers, subversion of the CLOSE function was much rarer.

Other Facts

Because it searches for *.CO* files, it was noted there was a possibility it could infect COBOL source code files, which have an extension of .COB.

There are several other viruses with the name Beast.

Sources

Jim Bates. The Virus Bulletin, "666 - The Number of The Beast". May 1990

Peter Szor. The Art of Computer Virus Research and Defense, "5.2.5.5 Cluster and Sector -Level File Stealth". pg 207. Addison Wesley, Symantec Press: Upper Saddle River, NJ, 2005. ISBN: 0321304543

Patricia Hoffman. Online VSUM, 512.

Kaspersky Lab, VIRUS.DOS.BEAST. 20-APR-2001