Begemot
Begemot
Type File virus
Creator Benny
Date Discovered 1999
Place of Origin Brno, Czech Republic
Source Language Assembly
Platform MS Windows
File Type(s) .exe
Infection Length 8,192 bytes

Begemot is a Windows 9x virus coded by 29A member Benny. It was the first virus with a communication interface.

Behavior

When executed, Begemot uses its polymorphic decryptor to decrypt the virus body. It then decompresses the virus body. It checks if there is already another copy of Begemot running. It tries to find the VxDCall0 API. The virus then installs itself to memory. It kills some antivirus processes such as AVP Monitor and Amon Antivirus Monitor and deletes files associated with antivirus programs including:

  • ANTI-VIR.DAT
  • AVG.AVI
  • AVP.CRC
  • DRWEBASE.VDB
  • Nod32.000

It infects every portable executable file accessed. When a RAR archive is accessed, it adds the file BEER.EXE, which contains the virus. The list of file types it is able to infect include .exe, .scr, .sfx, .cpl, .dat, .bak and .rar.

On 2 January, it displays a message saying:

Wait a minute,
Micro$h!t is everywhere u want to be...
Please call Micro$h!t on-line help, if u have any problems.
Don't u have a telephone? So call your system supervisor.
R u supervisor? So call Micro$h!t on-line help...
Ehrm, well... where do u want to go y3st3rday?
PS: Your problem ain't virus. Micro$h!t didn't certified
this hardware, buy a new one...
Press OK button to solve this problem by Micro$h!t...

The virus only runs on Windows 9x systems and certain functions can only run on Windows 98.

The Virus Communication Console

One of the most interesting features of the virus is that it was the first to come with a communication console. When executed, this console looks for the address of the Begemot Control Block. If the control block is not found, it quits and displays an error. It has 11 commands that are executed by pressing keys including:

  • 'Esc' - quits the communication console
  • '0' - shows if the control block is present
  • '1' - shows what Begemot actually does
  • '2' - disables all virus activity in memory
  • '3' - enable all virus activity in memory if they have previously been disabled by '2'
  • '4' - shows the sleep time value
  • '5' - increases sleep time
  • '6' - decreases sleep time
  • '7' - switches amount of sleep time increments or decrements by 100 or 1000 miliseconds
  • '8' - completely halt system
  • '9' - erases control block from memory, suspends thread. BGVCC will be unable to connect to the control block until the virus is restarted.

If the control console freezes, the user can press Ctrl+C or Ctrl+Break to quit.

Sources

Benny. 29A, Issue 4, Win98.BeGemot.8192

-. -, -, BeGemot Virus Communication Console.

VSAntivirus, PE.Begemot.A.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License