Virus Database

Scorpion.2278

Description Scorpion.2278

It is a very dangerous nonmemory resident encrypted parasitic virus. When an infected file takes control, the virus infects the C:COMMAND.COM file. The virus then searches for COM and EXE files, then writes itself to the end of the file. While infecting the C:COMMAND.COM the virus writes itself into the "hole" at the end of the COMMAND.COM. As a result, the length of the C:COMMAND.COM file stays the same.
The virus deletes the CHKLIST.MS file, if it exists. In some cases the virus searches for other files and deletes them. Depending on the system data and installed hardware the virus formats the hard drive sectors, displays the message, hooks INT 1Ch and plays a tune. The message looks as follows:
+---------------------------+
¦ DEATH ON TWO LEGS V2.8 ¦
¦ (c) BLACK SCORPiON, 1996 ¦
¦ Written in Moscow ¦
+---------------------------+

The virus also contains the text strings:
*.* *.EXE *.COM
C:COMMAND.COM
DEATH ON TWO LEGS WAS HERE

Check other viruses! Be aware! Use Antiviral Software

Beaches.1091

Description Beaches.1091

Beaches.1091 is a dangerous not memory resident parasitic polymorphic virus. It searches for .EXE-files and writes itself at their ends. After infection it disinfects host file. Depending on its generation it overwrites the files with the program which displays while execution:
sandy beaches
bridges sinking into the sea
beautiful confusion
you're a fading memory

Beast.a

Description Beast.a

This is a dangerous stealth virus that affects COM files, writing itself at the file beginning. A file is infected as it is executed or closed. The beginning of the file is saved at the first unused sector of the last cluster of the file.
ƒ <----------- File --------------------------> ƒ
+------------------------- --------------------------+
ƒ cluster ƒ cluster ƒ all ƒ cluster ƒ cluster ƒ
+------------------------- --------------------------+
^ ^ ^
+- Virus beginning Saved beginning of file ---+ ƒ
Unused sector ------+

The length of an infected file does not change. The time of the file last modification is set to 62 sec. On infecting, the interrupt vectors table (0000:0200 - 0000:03FF) is used by infector as a work area.
On its activation the virus enters one of the system buffers. Upon infecting files the virus actively uses non documented DOS area - System File Table. During a read of the infected file beginning it substitutes the true beginning. By these actions the "Beast" virus successfully masks its presence in the system.
The virus is very dangerous. This virus affects files with a .CO? extension. As an infected file is copied it may be lost (the last file cluster is not copied in full). The file will be lost if the disk has one sector on a cluster. The virus alters INT 21h, some of them contain the string "666".

Home