Burma.563 Virus


 Virus Name:  Burma.563 
 Aliases:     Burma 
 V Status:    Viron 
 Discovery:   July, 1994 
 Symptoms:    .COM & .EXE files become 563 bytes in size; display effect; 
              file date/time changes 
 Origin:      Unknown 
 Eff Length:  563 Bytes Overwriting 
 Type Code:   ONAK - Overwriting Non-Resident .COM & .EXE Infector 
 Detection Method:  F-Prot, AVTK, IBMAV, ViruScan, Sweep, NAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NProt, AVTK/N, NShld, Sweep/N, IBMAV/N, NAV/N, 
                    Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Burma.563 virus was submitted in July, 1994.  Its origin or point 
       of isolation is unknown.  This virus is a non-resident overwriting 
       virus which permanently corrupts the programs it infects. 
 
       The first time a program infected with the Burma.563 virus is 
       executed, this virus will display the following message: 
 
               "Reading system configuration, please wait." 
 
       The virus will have infected the first .COM and .EXE program located 
       in the current directory.  The user will then be returned to the 
       DOS prompt. 
 
       The next time a program infected with the Burma.563 virus is executed, 
       it will check to determine if the first .COM and .EXE files are 
       infected.  If they are, a swirling effect will occur on the system 
       display.  On monochrome monitors, this effect may appear as the 
       display of characters from memory. 
 
       The Burma.563 virus does not continue to infect programs in the 
       current directory after the first .COM and .EXE programs are infected. 
       Infected programs will become 563 bytes in size with the file date 
       and time in the DOS disk directory listing having been updated to the 
       current system date and time.  The following text strings are visible 
       within the viral code in all infected programs: 
 
               "*.?o? *.?x? \DOS \" 
               "Reading system configuration, please wait." 
 
       Two text strings, "SwizzleStyxx!" and "Dark Avenger", are also 
       contained within the viral code, though the characters are separated 
       by an open happy face (hex 01) character. 
 
       Known variant(s) of Burma.563 are: 
       Burma.442.D: Received in February, 1995, Burma.442.D is a 442 
               byte variant of the Burma.563 virus described above.  It 
               overwrites the first 442 bytes of the host .COM and .EXE 
               files it infects, truncating the file length to 442 bytes. 
               The file's date and time in the DOS disk directory listing 
               will have been updated to the current system date and time 
               when infection occurred.  The following text string will be 
               visible within the viral code: 
               "*.?x? *.?o? \DOS" 
               Origin:  Unknown  February, 1995. 
       Burma.756: Received in July, 1995, Burma.756 is a 756 byte 
               variant of the Burma virus described above.  Infected 
               programs become 756 bytes in length with the current 
               system date and time.  The following text strings are 
               visible within the viral code: 
               "*.?o? *.?x? A:\DOS A:\" 
               "SwizzleStyxx!" 
               "Reading system configuration, please wait." 
               "DarkAvenger" 
               The second and fourth text strings have each character 
               separated by hex 01 (happy face) characters.  This variant 
               also produces the whirlpool effect of the original virus. 
               Origin:  Unknown  July, 1995.

Show viruses from discovered during that infect .

Main Page