Virus.DOS.Barrotes (Bars in Spanish) is a dangerous memory resident parasitic virus on DOS. Displaying vertical bars and/or destroying MBR are the main characteristics of this family.

There are 17 variants, plus 1 sub-variant, having different infection behaviors, activation days or payloads.


When the virus is loaded into memory, it first infects C:\COMMAND.COM, followed by hooking INT 21h to infect files that are executed.

Generally they avoid files having the filename to prevent infection of antiviruses:


Barrotes.840 and 849

These variants infect DOS executable files only.


This variant does not infect COMMAND.COM before staying memory resident, but F:\LOGIN.EXE instead, if available. It infects every executable that is run, and it does not check whether a file has been infected and it would reinfect the file, making the size of file grows on further infection.

The virus cannot infect files that are larger than 64,409 bytes.

Barrotes.1194, 1222, 1292, 1310, 1447, 1463, 1874 and Tecla.1303

These variants infect any executable file that is run, some of them might corrupt the files during infection and result a system hang.

Barrotes.1292 displays the following text when the first infected file is run:

Iniciando Filo-Windows 95
Virus by...

Translation (from Spanish):

Starting file-Windows 95
Virus by...

Barrotes.1310.b, j and k do not infect COMMAND.COM before staying memory resident, this is because of the internal text string, as listed in later section, is not a valid file path. Additionally, variants B and J have anti-debugging feature that would hang the system if the user attempts to open an infected file when any of these variants is in memory.

Barrotes.1310.d and e use i386 instructions to install itself into memory.

Barrotes.Tecla.1303 is the encrypted variant. It infects COMMAND.COM in the same directory instead of that in root, which means C:\COMMAND.COM might not be infected if the virus is located in other directory.


Instead of C:\COMMAND.COM, this variant infects C:\DOS\KEYB.COM when it loads into memory, and this variant would reinfect files.

Advanced details

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
Barrotes.840 1,600
Barrotes.849 1,600
Barrotes.1127 1,600
Barrotes.1194 1,600
Barrotes.1222 1,600
Barrotes.1292 1,552
Barrotes.1310 (A, B, D, I, J and K) 1,600
Barrotes.1310.e 3,200
Barrotes.1447 1,712
Barrotes.1461 1,872
Barrotes.1463 1,728
Barrotes.1874 2,304
Barrotes.Tecla.1303 1,632

MD5 hashes:

Variant Hash
Barrotes.840 117cfad8314e61316765d75b3d0e7760
Barrotes.849 0e465865ece2ddd851f6e6b6449dbdfe
Barrotes.1127 5a252c463b98738a1d171b24a219c93a
Barrotes.1194 4d845737aa1f41024521b4346299e4cb
Barrotes.1222 d1da67a83dd658a597061fe2e876a66d
Barrotes.1292 d073a14dd5031fda4ec65f724c8fc686
Barrotes.1310.a 9e5d3ef878d4320a20b5c2d354c31d20
Barrotes.1310.b f12af07ab9494f32a572b2895843004d
Barrotes.1310.d 330fe8d07aee7e47bfd22ced738c060e
Barrotes.1310.e 8b273c57d2b483fd2024eba5db970e5d
Barrotes.1310.i 5798e64ef4663103ba47f59dee56ceda
Barrotes.1310.j 889170ab1d7eb361a2aaf311044d4a93
Barrotes.1310.k 66df96dc1310b277f0198c169fc57f7d
Barrotes.1447 d428c706ec05034d9f2a6fce651b5fd1
Barrotes.1461 d5622e5e252bd99048bdb710cfb60b64
Barrotes.1463 bd7021b8678f5fef15ccdf15056951b8
Barrotes.1874 8541db9bce4e181324d0c8438f43543a
Barrotes.Tecla.1303 dbc50ec1b4f6530143c1443a52fad6a2


When activated, the virus decrypts the payload code, hooks INT 1Ch, displays several vertical bars, and a message at the up-left corner:

Virus BARROTES por OSoft

Translation (from Spanish):

BARROTES Virus by OSoft

Some variants may also destroy the MBR.

Barrotes849 payload

The payload of Barrotes.849

Barrotes.840 and 849

These variants activate on January 5th, they display the message, draw grey vertical bars and destroy the MBR.

Barrotes.1127 and 1292

These variants do not manifest themselves at anyway since their binaries do not contain the code of payload.


This variant is supposed to activate on 1st day in any month, by displaying the message, vertical bars and destroying the MBR, but failed.


This variant activates on May 25th, since it replaced the visible payload code with null characters so that it does not draw anything on screen but it would still hook INT 1Ch and might slow down the system speed a little bit and also to destroy the MBR.

Barrotes.1310.a, b and j

These variants activate on January 5th, they draw colorful vertical bars, and destroys the MBR (except J variant).

For Barrotes.1310.b, if a keyboard input is detected after activation, it crashes the system.

Barrotes.1310.d and e

These variants activate on July 20th. They draw colorful vertical bars and display the following message instead of the original one:

Virus MIKELON por MSoft


This variant activates on May 23th. It draws colorful vertical bars and displays the following message instead of the original one:

Araceli Escobar=ENANA+PUTA


This variant activates on May 19th. It draws colorful vertical bars, destroys the MBR and displays the following message instead of the original one:

Virus SuperDepor vK&S
Barrotes1463 payload

The payload of Barrotes.1463, debugged in order to trigger.

Barrotes.1447 and 1463

These variants destroy the MBR on activation, it also display a message at the top of the screen, and scroll all the text below it to left.

ViRUS de G.D.R. (c)PutoSOfT,  NO HAY NADA COMO G.D.R.  ¿¿ VERDAD ??   ;-)

Translation (from Spanish):


It is originally set to activate on 22nd day of every month (hex value 16h), but failed due to a programming error, it is set to activate on 34th day of every month (22h = 34 in decimal), so the virus would never activate.


This variant activates on March 3rd. It corrupts disk sectors, clears the screen, and displays the message:

This is virus RETRETE!
Don't attempt to recover your disk yourself!


This variant displays message, draws vertical bars and plays a tune on activation. However the method of activation is currently unknown.


This variant activates on September 23rd, it hooks INT 16h to change the scancode of keys that are entered.


This family has 18 variants in total:

  • Virus.DOS.Barrotes.840
  • Virus.DOS.Barrotes.849
  • Virus.DOS.Barrotes.1127
  • Virus.DOS.Barrotes.1194
  • Virus.DOS.Barrotes.1222
  • Virus.DOS.Barrotes.1292
  • Virus.DOS.Barrotes.1310 (A, B, D, E, I, J and K)
  • Virus.DOS.Barrotes.1447
  • Virus.DOS.Barrotes.1461
  • Virus.DOS.Barrotes.1463
  • Virus.DOS.Barrotes.1874
  • Virus.DOS.Barrotes.Tecla.1303

Other details

Barrotes hoax prog

The hoax program of Barrotes, makes nothing harmful other than the orange bars blocking the user's view.

A hoax program Hoax.DOS.Barrotes written by BERTOV1, it draws orange bars on the screen when run, but it does nothing harmful to the system.

Virus.DOS.Piolin.1176 (Piolin) has been identified as a variant of Barrotes by some antivirus.

Barrotes.840 contains the internal text strings:


Barrotes.849 and 1292 contain the internal text strings:


Barrotes.1127 contains the internal text strings:

l9 (plus 2 spaces)

Barrotes.1194 contains the internal text strings:


Barrotes.1222 contains the internal text string:

lZ (plus ASCII ADh and ASCII DEh, possibly DEADh)

Barrotes.1310 (A, D and E) contain the internal text strings:


Barrotes.1310.b contain the internal text strings:

Galiza Xakobeo

Barrotes.1310.i contain the internal text strings:


Barrotes.1310.j contain the internal text strings:

Terror Again 97

Barrotes.1310.k contain the internal text strings:

SuperDepor vK&S

Barrotes.1447 and 1463 contain the internal text string:


Barrotes.1461 contains the internal text string:


Barrotes.1874 contains the internal text string:


Barrotes.Tecla.1303 contains the encrypted internal text strings:

Sta Tecla (MAD1)


  1. Descriptions about the Barrotes virus on F-Secure Labs and Online VSUM
  2. List of variants of the Barrotes virus on VX Heaven


Virus.DOS.Barrotes 1310, 1461, 1310

Virus.DOS.Barrotes 1310, 1461, 1310.j

Barrotes.1310.b, 1461 and 1310.j review by Alles Sandro



Barrotes virus review by danooct1