Barrotes Virus


 Virus Name:  Barrotes 
 Aliases:     Barrotes.1310 
 V Status:    Rare 
 Discovery:   December, 1992 
 Symptoms:    .COM & .EXE growth; decrease in total system & available free 
              memory; vertical bars & message on system display; 
              boot failure; Master boot sector corrupted 
 Origin:      Spain 
 Isolated:    The Netherlands 
 Eff Length:  1,310 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  F-Prot, AVTK, ViruScan, Sweep, IBMAV, 
                    NAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, Sweep/N, Innoc, AVTK/N, IBMAV/N, NAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Barrotes virus was isolated in The Netherlands in December, 1992. 
       It appears to have originated in Spain.  Barrotes is a memory 
       resident infector of .COM, .EXE, and overlay programs, including 
       COMMAND.COM. 
 
       When the first Barrotes infected program is executed, the Barrotes 
       virus will become memory resident at the top of system memory but 
       below the 640K DOS boundary, hooking interrupt 21.  Total system 
       and available free memory, as indicated by the DOS CHKDSK program, 
       will have decreased by 1,600 bytes.  Interrupt 12's return will not 
       be moved.  Also at this time, the Barrotes virus will infect the 
       copy of COMMAND.COM located in the C: drive root directory if it 
       was not previously infected. 
 
       Once the Barrotes virus is memory resident, it will infect .COM, 
       .EXE, and overlay programs when they are executed.  Infected 
       programs will have a file length increase of 1,310 bytes with the 
       virus being located at the end of the file.  The program's date 
       and time in the DOS disk directory listing will not be altered. 
       The following text strings are visible within the Barrotes viral 
       code in all infected programs: 
 
               "c:\command.com" 
               "l7SO" 
      
       The Barrotes virus activates when it becomes memory resident on 
       January 5th of any year.  At that time, the virus will draw 
       vertical bars across the system display, and the following message 
       will appear at the DOS prompt: 
 
               "Virus BARROTES por OSoft" 
 
       After the message appears, the virus will write a portion of its 
       code to the system hard disk's master boot sector.  The next time 
       the user attempts to boot from the system hard disk, the boot will 
       fail. 
 
       Known variant(s) of Barrotes are: 
       Barrotes.840: Received in March, 1994 from Spain, Barrotes.840 
               is an 840 byte variant of the Barrotes virus described above. 
               Its size in memory is 1,600 bytes, hooking interrupt 21. 
               Like the original virus, it will infect the copy of 
               COMMAND.COM located in the C: drive root directory when the 
               first infected program is executed.  Once memory resident, it 
               infects .COM programs when they are executed.  Infected files 
               will have a file length increase of 840 bytes with the virus 
               being located at the end of the file.  The following text 
               strings are visible within the viral code, with the last 
               text string occurring at the very end of all infected files: 
               "c:\command.com" 
               "OS" 
               On January 5th of any year, the Barrotes.840 virus will 
               overwrite the system hard disk master boot sector (partition 
               table sector) when the first infected program is executed. 
               Origin:  Spain  March, 1994. 
       Barrotes.849: Received in July, 1994 from Spain, Barrotes.849 
               is an 849 byte variant of the Barrotes virus described above. 
               Its size in memory is 1,600 bytes, hooking interrupt 21. 
               Like the original virus, it will infect the copy of 
               COMMAND.COM located in the C: drive root directory when the 
               first infected program is executed.  Once memory resident, it 
               infects .COM programs when they are executed.  Infected files 
               will have a file length increase of 849 bytes with the virus 
               being located at the end of the file.  The following text 
               strings are visible within the viral code, with the last 
               text string occurring at the very end of all infected files: 
               "c:\command.com" 
               "SO" 
               Origin:  Spain  July, 1994. 
       Barrotes.1176: Received in January, 1996, Barrotes.1176 is a 
               1,176 byte variant of the Barrotes virus.  Its size in 
               memory is 1,680 bytes, hooking interrupt 21.  Once resident, 
               it infects programs when they are executed.  Infected programs 
               will have a file length increase of 1,176 bytes with the virus 
               being located at the end of the file.  The following text 
               string is contained within the viral code in all infected 
               files: 
               "FGGI" 
               It is unknown what Barrotes.1176 does besides replicate. 
               Origin:  Unknown  January, 1996. 
       Barrotes.1194: Received in July, 1995, Barrotes.1194 is a 1,194 
               byte variant of the Barrotes virus described above.  Its size 
               in memory is 1,600 bytes, hooking interrupt 21.  Like the 
               original virus, it will infect the copy of COMMAND.COM 
               located in the C: drive root directory when the first 
               infected program is executed.  Once memory resident, it 
               infects programs when they are executed.  Infected programs 
               will have a file length increase of 1,194 bytes with the virus 
               being located at the end of the file.  The following text 
               strings are contained within the viral code in all infected 
               files: 
               "c:\command.com" 
               "I7XS" 
               It is unknown what Barrotes.1194 does besides replicate. 
               Origin:  Unknown  July, 1995. 
       Barrotes.1303: Received from Spain in February 1994, Barrotes.1303 
               is a 1,303 byte variant of the Barrotes virus described above. 
               Its size in memory is 1,632 bytes, hooking interrupt 21. 
               Like the original virus, it will infect the copy of 
               COMMAND.COM located in the C: drive root directory when the 
               first infected program is executed.  Once memory resident, it 
               infects programs when they are executed.  Infected programs 
               will have a file length increase of 1,303 bytes with the virus 
               being located at the end of the file.  The following text 
               strings are contained within the viral code, the first two 
               being encrypted while the last text string is unencrypted and 
               can be found at the very end of all infected files: 
               "C:\COMMAND.COM" 
               "Sta Tecla (MAD1)" 
               "ST" 
               It is unknown what Barrotes.1303 does besides replicate. 
               Origin:  Spain  February, 1994. 
       Barrotes.1447: Received from Spain in July, 1996, Barrotes.1447 
               is a 1,447 byte variant of the Barrotes virus described above. 
               Its size in memory is 1,712 bytes, hooking interrupt 21. 
               Like the original virus, it will infect the copy of 
               COMMAND.COM located in the C: drive root directory when the 
               first infected program is executed.  Once memory resident, it 
               infects programs when they are executed.  Infected programs 
               will have a file length increase of 1,447 bytes with the virus 
               being located at the end of the file.  The following text 
               strings are visible within the viral code, with the last 
               string being located at the end of all infected files: 
               "C:\COMMAND.COM" 
               "loXX" 
               Origin:  Spain  July, 1996. 
       Barrotes.1463: Received in January, 1996, Barrotes.1463 is a 
               1,463 byte variant of the Barrotes virus.  Its size 
               in memory is 1,728 bytes, hooking interrupt 21.  Like the 
               original virus, it will infect the copy of COMMAND.COM 
               located in the C: drive root directory when the first 
               infected program is executed.  Once memory resident, it 
               infects programs when they are executed.  Infected programs 
               will have a file length increase of 1,463 bytes with the virus 
               being located at the end of the file.  The following text 
               strings are contained within the viral code in all infected 
               files: 
               "c:\command.com" 
               "RRR" 
               "vsvRqqRRRm_[RRR" 
               "loXX" 
               The last text string above can be found at the very end of 
               all infected files. 
               Origin:  Unknown  January, 1996. 
      

Show viruses from discovered during that infect .

Main Page