Beda Virus


 Virus Name:  Beda 
 Aliases:     Beda.883 
 V Status:    New 
 Discovery:   July, 1995 
 Symptoms:    .COM file growth; file date/time time changes, 
              time = 11:54:52pm; decrease in available free memory; 
              graphic display 
 Origin:      Unknown 
 Eff Length:  883 - 894 Bytes 
 Type Code:   PRhCK - Parasitic Resident .COM Infector 
 Detection Method: AVTK, VAlert, NAV, NAVDX, IBMAV, ViruScan, F-Prot, 
                   NAV/N, AVTK/N, IBMAV/N, NShld 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Beda virus was received in July, 1995, along with two variants. 
       Its origin or point of isolation is unknown.  Beda is a memory 
       resident infector of .COM files, including COMMAND.COM.  One of the 
       variants of this virus will also infect .EXE files. 
 
       When the first Beda infected program is executed, this virus will 
       install itself memory resident at the top of system memory but below 
       the 640K DOS boundary, hooking interrupts 21 and 24.  Available free 
       memory, as indicated by the DOS CHKDSK program from DOS 5.0, will 
       have decreased by 2,048 bytes.  Interrupt 12's return will not be 
       moved. 
 
       Once the Beda virus is memory resident, it will infect .COM programs 
       when they are executed.  Infected programs will have a file length 
       increase of 883 to 894 bytes with the virus being located at the end 
       of the file.  The program's date and time in the DOS disk directory 
       listing will be altered, and the time will have been set to a value 
       of "11:54:52pm".  No text strings are visible within the viral code 
       in infected programs. 
 
       After the virus has been memory resident for awhile, it will activate 
       when a program is executed, producing a display of three beams of 
       shifting multi-colored patterns which will move up and down the 
       screen. 
 
       Known variant(s) of Beda are: 
       Beda.1301: Also received in July, 1995, this is a 1,301 byte 
           variant of the Beda virus described above.  Its size in memory 
           is 3,072 bytes, hooking interrupts 21 and 24.  It infects .COM 
           programs, including COMMAND.COM, when they are executed. 
           Infected programs will have a file length increase of 1,301 to 
           1,312 bytes with the virus being located at the end of the 
           file.  The file's date and time in the DOS disk directory listing 
           will have been altered in the same manner as the original 
           virus.  No text strings are visible within the viral code.  This 
           variant produces the same screen effect as the original virus. 
           Origin:  Unknown  July, 1995. 
       Beda.1530: Also received in July, 1995, this 1,530 byte variant 
           can infect both .COM and .EXE files, including COMMAND.COM.  Its 
           size in memory is 3,072 bytes, hooking interrupts 21 and 24.  It 
           infects .COM and .EXE files when they are executed, adding 
           1,530 to 1,544 bytes to the file's length.  The virus will be 
           located at the end of the file.  The program's date and time in 
           the DOS disk directory listing will be altered as with the 
           original virus.  No text strings are visible within the viral 
           code.  This variant does not produce the screen effects of the 
           original virus. 
           Origin:  Unknown  July, 1995.

Show viruses from discovered during that infect .

Main Page