Barrotes Virus
Virus Name: Barrotes
Aliases: Barrotes.1310
V Status: Rare
Discovery: December, 1992
Symptoms: .COM & .EXE growth; decrease in total system & available free
memory; vertical bars & message on system display;
boot failure; Master boot sector corrupted
Origin: Spain
Isolated: The Netherlands
Eff Length: 1,310 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: F-Prot, AVTK, ViruScan, Sweep, IBMAV,
NAV, NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, Innoc, AVTK/N, IBMAV/N, NAV/N
Removal Instructions: Delete infected files
General Comments:
The Barrotes virus was isolated in The Netherlands in December, 1992.
It appears to have originated in Spain. Barrotes is a memory
resident infector of .COM, .EXE, and overlay programs, including
COMMAND.COM.
When the first Barrotes infected program is executed, the Barrotes
virus will become memory resident at the top of system memory but
below the 640K DOS boundary, hooking interrupt 21. Total system
and available free memory, as indicated by the DOS CHKDSK program,
will have decreased by 1,600 bytes. Interrupt 12's return will not
be moved. Also at this time, the Barrotes virus will infect the
copy of COMMAND.COM located in the C: drive root directory if it
was not previously infected.
Once the Barrotes virus is memory resident, it will infect .COM,
.EXE, and overlay programs when they are executed. Infected
programs will have a file length increase of 1,310 bytes with the
virus being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be altered.
The following text strings are visible within the Barrotes viral
code in all infected programs:
"c:\command.com"
"l7SO"
The Barrotes virus activates when it becomes memory resident on
January 5th of any year. At that time, the virus will draw
vertical bars across the system display, and the following message
will appear at the DOS prompt:
"Virus BARROTES por OSoft"
After the message appears, the virus will write a portion of its
code to the system hard disk's master boot sector. The next time
the user attempts to boot from the system hard disk, the boot will
fail.
Known variant(s) of Barrotes are:
Barrotes.840: Received in March, 1994 from Spain, Barrotes.840
is an 840 byte variant of the Barrotes virus described above.
Its size in memory is 1,600 bytes, hooking interrupt 21.
Like the original virus, it will infect the copy of
COMMAND.COM located in the C: drive root directory when the
first infected program is executed. Once memory resident, it
infects .COM programs when they are executed. Infected files
will have a file length increase of 840 bytes with the virus
being located at the end of the file. The following text
strings are visible within the viral code, with the last
text string occurring at the very end of all infected files:
"c:\command.com"
"OS"
On January 5th of any year, the Barrotes.840 virus will
overwrite the system hard disk master boot sector (partition
table sector) when the first infected program is executed.
Origin: Spain March, 1994.
Barrotes.849: Received in July, 1994 from Spain, Barrotes.849
is an 849 byte variant of the Barrotes virus described above.
Its size in memory is 1,600 bytes, hooking interrupt 21.
Like the original virus, it will infect the copy of
COMMAND.COM located in the C: drive root directory when the
first infected program is executed. Once memory resident, it
infects .COM programs when they are executed. Infected files
will have a file length increase of 849 bytes with the virus
being located at the end of the file. The following text
strings are visible within the viral code, with the last
text string occurring at the very end of all infected files:
"c:\command.com"
"SO"
Origin: Spain July, 1994.
Barrotes.1176: Received in January, 1996, Barrotes.1176 is a
1,176 byte variant of the Barrotes virus. Its size in
memory is 1,680 bytes, hooking interrupt 21. Once resident,
it infects programs when they are executed. Infected programs
will have a file length increase of 1,176 bytes with the virus
being located at the end of the file. The following text
string is contained within the viral code in all infected
files:
"FGGI"
It is unknown what Barrotes.1176 does besides replicate.
Origin: Unknown January, 1996.
Barrotes.1194: Received in July, 1995, Barrotes.1194 is a 1,194
byte variant of the Barrotes virus described above. Its size
in memory is 1,600 bytes, hooking interrupt 21. Like the
original virus, it will infect the copy of COMMAND.COM
located in the C: drive root directory when the first
infected program is executed. Once memory resident, it
infects programs when they are executed. Infected programs
will have a file length increase of 1,194 bytes with the virus
being located at the end of the file. The following text
strings are contained within the viral code in all infected
files:
"c:\command.com"
"I7XS"
It is unknown what Barrotes.1194 does besides replicate.
Origin: Unknown July, 1995.
Barrotes.1303: Received from Spain in February 1994, Barrotes.1303
is a 1,303 byte variant of the Barrotes virus described above.
Its size in memory is 1,632 bytes, hooking interrupt 21.
Like the original virus, it will infect the copy of
COMMAND.COM located in the C: drive root directory when the
first infected program is executed. Once memory resident, it
infects programs when they are executed. Infected programs
will have a file length increase of 1,303 bytes with the virus
being located at the end of the file. The following text
strings are contained within the viral code, the first two
being encrypted while the last text string is unencrypted and
can be found at the very end of all infected files:
"C:\COMMAND.COM"
"Sta Tecla (MAD1)"
"ST"
It is unknown what Barrotes.1303 does besides replicate.
Origin: Spain February, 1994.
Barrotes.1447: Received from Spain in July, 1996, Barrotes.1447
is a 1,447 byte variant of the Barrotes virus described above.
Its size in memory is 1,712 bytes, hooking interrupt 21.
Like the original virus, it will infect the copy of
COMMAND.COM located in the C: drive root directory when the
first infected program is executed. Once memory resident, it
infects programs when they are executed. Infected programs
will have a file length increase of 1,447 bytes with the virus
being located at the end of the file. The following text
strings are visible within the viral code, with the last
string being located at the end of all infected files:
"C:\COMMAND.COM"
"loXX"
Origin: Spain July, 1996.
Barrotes.1463: Received in January, 1996, Barrotes.1463 is a
1,463 byte variant of the Barrotes virus. Its size
in memory is 1,728 bytes, hooking interrupt 21. Like the
original virus, it will infect the copy of COMMAND.COM
located in the C: drive root directory when the first
infected program is executed. Once memory resident, it
infects programs when they are executed. Infected programs
will have a file length increase of 1,463 bytes with the virus
being located at the end of the file. The following text
strings are contained within the viral code in all infected
files:
"c:\command.com"
"RRR"
"vsvRqqRRRm_[RRR"
"loXX"
The last text string above can be found at the very end of
all infected files.
Origin: Unknown January, 1996.