Beer Virus


 Virus Name:  Beer 
 Aliases:     Beer-2794 
 V Status:    Rare 
 Discovery:   February, 1993 
 Symptoms:    .COM & .EXE growth; decrease in total system & available free 
              memory 
 Origin:      USSR 
 Eff Length:  2,794 - 3,069 Bytes 
 Type Code:   PRtA - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  Sweep, AVTK, F-Prot, VAlert, ViruScan, NAV, NAVDX, 
                    IBMAV, PCScan, ChAV, 
                    Sweep/N, AVTK/N, Innoc, NShld, NAV/N, IBMAV/N, 
                    LProt, NProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Beer, or Beer-2794, virus was submitted in February, 1993, and 
       is originally from the USSR.  Beer is a memory resident infector of 
       .COM and .EXE programs, but not COMMAND.COM. 
 
       When the first Beer infected program is executed, the Beer virus 
       will install itself memory resident at the top of system memory 
       but below the 640K DOS boundary, moving interrupt 12's return. 
       Total system and available free memory, as indicated by the DOS 
       CHKDSK program, will have decreased by 4,096 bytes.  Interrupt 21 
       will be hooked by Beer in memory. 
 
       Once memory resident, the Beer virus will infect .COM and .EXE 
       programs when they are executed.  Infected .COM programs will have 
       a file length increase of 2,794 bytes.  Infected .EXE programs will 
       have a file length increase of up to 3,069 bytes.  In both cases 
       the virus will be located at the end of the file.  The program's 
       date and time in the DOS disk directory listing will not be altered. 
 
       It is unknown what the Beer virus does besides replicate. 
 
       Known variant(s) of Beer are: 
       Beer.645: A 645 byte variant of the Beer virus described above, 
                  this variant's size in memory is 3,096 bytes, hooking 
                  interrupt 21.  It infects .COM programs, but not 
                  COMMAND.COM, when they are executed.  Infected .COM 
                  programs will have a file length increase of 645 bytes 
                  with the virus being located at the end of the file. 
                  The file's date and time in the DOS disk directory listing 
                  will have been updated to the current system date and time 
                  when infection occurred.  No text strings are visible 
                  within the viral code. 
                  Origin:  Unknown  January, 1995. 
       Beer.2473: A 2,473 byte variant of the Beer virus described 
                  above, this variant's size in memory is also 4,096 
                  bytes, hooking interrupt 21.  It infects .COM and .EXE 
                  programs when they are executed or opened.  Infected .COM 
                  programs will have a file length increase of 2,473 bytes 
                  while .EXE programs will increase in size by up to 2,748 
                  bytes.  The virus will be located at the end of the 
                  infected file, and the file's date and time in the DOS 
                  disk directory listing will not be altered. 
                  Origin:  Unknown  July, 1995. 
       Beer.2620: A 2,620 byte variant of the Beer virus described 
                  above, this variant's size in memory is also 4,096 
                  bytes, hooking interrupt 21.  It infects .COM and .EXE 
                  programs, but not COMMAND.COM, when they are executed. 
                  Infected .COM programs will have a file length increase 
                  of 2,620 bytes while .EXE programs will increase in size 
                  by up to 2,895 bytes.  The virus will be located at the 
                  end of the infected file, and the file's date and time 
                  in the DOS disk directory listing will not be altered. 
                  Origin:  Unknown  July, 1995. 
       Beer-2850: A 2,850 byte variant of the Beer virus described 
                  above, this variant's size in memory is also 4,096 
                  bytes, hooking interrupt 21.  It infects .COM and .EXE 
                  programs, but not COMMAND.COM, when they are executed. 
                  Infected .COM programs will have a file length increase 
                  of 2,850 bytes while .EXE programs will increase in size 
                  by up to 3,125 bytes.  The virus will be located at the 
                  end of the infected file, and the file's date and time 
                  in the DOS disk directory listing will not be altered. 
                  Origin:  USSR  February, 1993. 
       Beer-3164: A 3,164 byte variant of the Beer virus described 
                  above, this variant's size in memory is also 4,096 
                  bytes, hooking interrupt 21.  It infects .COM and .EXE 
                  programs, but not COMMAND.COM, when they are executed. 
                  Infected .COM programs will have a file length increase 
                  of 3,164 bytes while .EXE programs will increase in size 
                  by up to 3,437 bytes.  The virus will be located at the 
                  end of the infected file, and the file's date and time 
                  in the DOS disk directory listing will not be altered. 
                  The following text strings are encrypted within the 
                  Beer-3164 viral code: 
                  "COMMAND.COM AIDSTEST.EXE" 
                  "*.EXE DISKDATA.DTL" 
                  Origin:  USSR  March, 1993. 
       Beer.3164.B: Functionally similar to Beer-3194, this is a minor 
                  variant which will occassionally play a tune on the 
                  system speaker. 
                  Origin:  Unknown  July, 1995. 
       Beer.3192.B: A 3,192 byte variant of the Beer virus described 
                  above, this variant's size in memory is also 4,096 
                  bytes, hooking interrupt 21.  It infects .COM and .EXE 
                  programs when they are executed or opened.  Infected .COM 
                  programs will have a file length increase of 3,192 bytes 
                  while .EXE programs will increase in size by up to 3,465 
                  bytes.  The virus will be located at the end of the 
                  infected file, and the file's date and time in the DOS 
                  disk directory listing will not be altered. 
                  Origin:  Unknown  July, 1995. 
       Beer.3307: A 3,307 byte variant of the Beer virus described 
                  above, this variant's size in memory is also 4,096 
                  bytes, hooking interrupt 21.  It infects .COM and .EXE 
                  programs when they are executed or opened.  Infected .COM 
                  programs will have a file length increase of 3,307 bytes 
                  while .EXE programs will increase in size by up to 3,580 
                  bytes.  The virus will be located at the end of the 
                  infected file, and the file's date and time in the DOS 
                  disk directory listing will not be altered. 
                  Origin:  Unknown  July, 1995. 
       Beer.3399: A 3,399 byte variant of the Beer virus described 
                  above, this variant's size in memory is 4,080 bytes, 
                  hooking interrupt 21.  It infects .COM and .EXE programs, 
                  but not COMMAND.COM, when they are executed, opened, or 
                  copied.  Infected .COM programs will have a file length 
                  increase of 3,399 bytes while .EXE programs will increase 
                  in size by up to approximately 3,672 bytes.  The virus will 
                  be located at the end of the file.  The file's date and 
                  time in the DOS disk directory listing will not be altered. 
                  The following text strings are encrypted within the 
                  Beer.3399 viral code: 
                  "COM" 
                  Origin:  Unknown  August, 1994.

Show viruses from discovered during that infect .

Main Page