Fandom

Malware Wiki

Barrotes

1,319pages on
this wiki
Add New Page
Comments8 Share

Virus.DOS.Barrotes (Bars in Spanish) is a dangerous memory resident parasitic virus on DOS. Displaying vertical bars and/or destroying MBR are the main characteristics of this family.

There are 17 variants, plus 1 sub-variant, having different infection behaviors, activation days or payloads.

BehaviorEdit

When the virus is load into memory, it first infects C:\COMMAND.COM, followed by hooking INT 21h to infect files that are executed.

Generally they avoid files having the filename to prevent infection of antiviruses:

MSAV MWAV

Barrotes.840 and 849Edit

These variants infect DOS executable only.

Barrotes.1127Edit

This variant does not infect COMMAND.COM before staying memory resident, but F:\LOGIN.EXE instead, if available. It infects every executable that is run, and it does not check whether a file has been infected and it would reinfect the file, making the size of file grows on further infection.

The virus cannot infect files that are larger than 64,409 bytes.

Barrotes.1194, 1222, 1292, 1310, 1447, 1463, 1874 and Tecla.1303Edit

These variants infect any executable that is run, some of them might corrupt the files during infection and result a system hang.

Barrotes.1292 displays the following text when the first infected file is run:

Iniciando Filo-Windows 95
Virus by...

Translation (from Spanish):

Starting file-Windows 95
Virus by...

Barrotes.1310.b, j and k do not infect COMMAND.COM before staying memory resident. Additionally, variants B and J have anti-debugging feature that would hang the system if the user attempts to open an infected file when any of these variants is in memory.

Barrotes.1310.d and e use i386 instructions to install itself into memory.

Barrotes.Tecla.1303 is the encrypted variant. It infects COMMAND.COM in the same directory instead of that in root, which means C:\COMMAND.COM might not be infected if the virus is located in other directory.

Barrotes.1461Edit

This variant infects C:\DOS\KEYB.COM instead of C:\COMMAND.COM before loading into memory, and this variant would reinfect files.

Memory usageEdit

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
Barrotes.840 1,600
Barrotes.849 1,600
Barrotes.1127 1,600
Barrotes.1194 1,600
Barrotes.1222 1,600
Barrotes.1292 1,552
Barrotes.1310 (A, B, D, I, J and K) 1,600
Barrotes.1310.e 3,200
Barrotes.1447 1,712
Barrotes.1461 1,872
Barrotes.1463 1,728
Barrotes.1874 2,304
Barrotes.Tecla.1303 1,632

PayloadEdit

When activated, the virus decrypts the payload code, hooks INT 1Ch, displays several vertical bars, and a message at the up-left corner:

Virus BARROTES por OSoft

Translation (from Spanish):

BARROTES Virus by OSoft

Some variants may also destroy the MBR.

Barrotes849 payload

The payload of Barrotes.849

Barrotes.840 and 849Edit

These variants activate on January 5th, they display the message, draw grey vertical bars and destroy the MBR.

Barrotes.1127 and 1292Edit

These variants do not manifest themselves at anyway since their binaries do not contain the code of payload.

Barrotes.1194Edit

This variant is supposed to activate on 1st day in any month, by displaying the message, vertical bars and destroying the MBR, but failed.

Barrotes.1222Edit

This variant activates on May 25th, since it replaced the visible payload code with null characters so that it does not draw anything on screen but would slow down the system speed and destroy MBR.

Barrotes.1310.a, b and jEdit

These variants activate on January 5th, they draw colorful vertical bars, and destroys the MBR (except J variant).

For Barrotes.1310.b, if a keyboard input is detected after activation, it crashes the system.

Barrotes.1310.d and eEdit

These variants activate on July 20th. They draw colorful vertical bars and display the following message instead of the original one:

Virus MIKELON por MSoft

Barrotes.1310.iEdit

This variant activates on May 23th. It draws colorful vertical bars and displays the following message instead of the original one:

Araceli Escobar=ENANA+PUTA

Barrotes.1310.kEdit

This variant activates on May 19th. It draws colorful vertical bars, destroys the MBR and displays the following message instead of the original one:

Virus SuperDepor vK&S
Barrotes1463 payload

The payload of Barrotes.1463, debugged in order to trigger.

Barrotes.1447 and 1463Edit

These variants destroy the MBR on activation, it also display a message at the top of the screen, and scroll all the text below it to left.

ViRUS de G.D.R. (c)PutoSOfT,  NO HAY NADA COMO G.D.R.  ¿¿ VERDAD ??   ;-)

Translation (from Spanish):

ViRUS by G.D.R. (c)WhoreSOFT, THERE IS NOTHING LIKE G.D.R. RIGHT ?? ;-)

It is originally set to activate on 22nd day of every month (hex value 16h), but failed due to a programming error, it is set to activate on 34th day of every month (22h = 34 in decimal), so the virus would never activate.

Barrotes.1461Edit

This variant activates on March 3rd. It corrupts disk sectors, clears the screen, and displays the message:

This is virus RETRETE!
Don't attempt to recover your disk yourself!

Barrotes.1874Edit

This variant displays message, draws vertical bars and plays a tune on activation. However the method of activation is currently unknown.

Barrotes.Tecla.1303Edit

This variant activates on September 23rd, it hooks INT 16h to change the scancode of keys that are entered.

VariantsEdit

This family has 18 variants in total:

  • Virus.DOS.Barrotes.840
  • Virus.DOS.Barrotes.849
  • Virus.DOS.Barrotes.1127
  • Virus.DOS.Barrotes.1194
  • Virus.DOS.Barrotes.1222
  • Virus.DOS.Barrotes.1292
  • Virus.DOS.Barrotes.1310 (A, B, D, E, I, J and K)
  • Virus.DOS.Barrotes.1447
  • Virus.DOS.Barrotes.1461
  • Virus.DOS.Barrotes.1463
  • Virus.DOS.Barrotes.1874
  • Virus.DOS.Barrotes.Tecla.1303

Other details Edit

Barrotes hoax prog

The hoax program of Barrotes, makes nothing harmful other than the orange bars blocking the user's view.

A hoax program Hoax.DOS.Barrotes written by BERTOV1, it draws orange bars on the screen when run, but it does nothing harmful to the system.

Virus.DOS.Piolin.1176 (Piolin) has been identified as a variant of Barrotes by some antivirus.

Barrotes.840 contains the internal text strings:

c:\command.com
OS

Barrotes.849 and 1292 contain the internal text strings:

c:\command.com
SO

Barrotes.1127 contains the internal text strings:

f:\login.exe
l9 (plus 2 spaces)

Barrotes.1194 contains the internal text strings:

c:\command.com
l7XS

Barrotes.1222 contains the internal text string:

lZ (plus ASCII ADh and ASCII DEh, possibly DEADh)

Barrotes.1310 (A, D and E) contain the internal text strings:

c:\command.com
l7SO

Barrotes.1310.b contain the internal text strings:

Galiza Xakobeo
l7SO

Barrotes.1310.i contain the internal text strings:

c:\command.com
l7MV

Barrotes.1310.j contain the internal text strings:

Terror Again 97
l7SO

Barrotes.1310.k contain the internal text strings:

SuperDepor vK&S
l7SO

Barrotes.1447 and 1463 contain the internal text string:

c:\command.com
loXX

Barrotes.1461 contains the internal text string:

c:\dos\keyb.com

Barrotes.1874 contains the internal text string:

c:\COMMAND.com

Barrotes.Tecla.1303 contains the encrypted internal text strings:

C:\COMMAND.COM
Sta Tecla (MAD1)
ST

ReferencesEdit

Description of the Barrotes virus, F-Secure Labs

VideosEdit

Virus.DOS.Barrotes 1310, 1461, 131002:00

Virus.DOS.Barrotes 1310, 1461, 1310.j

Barrotes.1310.b, 1461 and 1310.j review by Alles Sandro

Virus.DOS00:31

Virus.DOS.Barrotes

Barrotes virus review by danooct1

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.