|Place of Origin||Brno, Czech Republic|
|Infection Length||8,192 bytes|
When executed, Begemot uses its polymorphic decryptor to decrypt the virus body. It then decompresses the virus body. It checks if there is already another copy of Begemot running. It tries to find the VxDCall0 API. The virus then installs itself to memory. It kills some antivirus processes such as AVP Monitor and Amon Antivirus Monitor and deletes files associated with antivirus programs including:
It infects every portable executable file accessed. When a RAR archive is accessed, it adds the file BEER.EXE, which contains the virus. The list of file types it is able to infect include .exe, .scr, .sfx, .cpl, .dat, .bak and .rar.
On 2 January, it displays a message saying:
Wait a minute, Micro$h!t is everywhere u want to be... Please call Micro$h!t on-line help, if u have any problems. Don't u have a telephone? So call your system supervisor. R u supervisor? So call Micro$h!t on-line help... Ehrm, well... where do u want to go y3st3rday? PS: Your problem ain't virus. Micro$h!t didn't certified this hardware, buy a new one... Press OK button to solve this problem by Micro$h!t...
The virus only runs on Windows 9x systems and certain functions can only run on Windows 98.
The Virus Communication Console
One of the most interesting features of the virus is that it was the first to come with a communication console. When executed, this console looks for the address of the Begemot Control Block. If the control block is not found, it quits and displays an error. It has 11 commands that are executed by pressing keys including:
- 'Esc' - quits the communication console
- '0' - shows if the control block is present
- '1' - shows what Begemot actually does
- '2' - disables all virus activity in memory
- '3' - enable all virus activity in memory if they have previously been disabled by '2'
- '4' - shows the sleep time value
- '5' - increases sleep time
- '6' - decreases sleep time
- '7' - switches amount of sleep time increments or decrements by 100 or 1000 miliseconds
- '8' - completely halt system
- '9' - erases control block from memory, suspends thread. BGVCC will be unable to connect to the control block until the virus is restarted.
If the control console freezes, the user can press Ctrl+C or Ctrl+Break to quit.
Benny. 29A, Issue 4, Win98.BeGemot.8192
-. -, -, BeGemot Virus Communication Console.