Vriest DOS Virus

Vriest is a memory resident virus. It hooks INT 21h, intercepts the CreateFile DOS function (AH=3Ch) and while creating a .COM file the virus writes itself to the file and then returns the control to the caller’s code (DOS, some Shell, FileManager, etc.). As a result, the virus writes its code just before actual writing, and the caller append to the virus code the actual code of the .COM file that is copied. As a result the virus infects to the beginning of the file.

By using that way of infection, the virus bypasses majority of antiviral monitors and CRC checkers, and does not need to hook INT 24h.

The infector also hides itself in the system memory. If the host program stays memory resident, the virus stays in memory within the memory block of that program, and is not visible by memory browsing utilities.

From May 3rd, this infector displays :

Something's coming up ...

and whistles by the system speaker and displays :

Vriest of g greets Vic ear Moeli~

This is a video about Vriest DOS Virus :