Virus.DOS.Barrotes (Bars in Spanish) is a dangerous memory resident parasitic virus on DOS. Displaying vertical bars and/or destroying MBR are the main characteristics of this family.

There are 17 variants, plus 1 sub-variant, having different infection behaviors, activation days or payloads.


When the virus is loaded into memory, it first infects C:\COMMAND.COM, followed by hooking INT 21h to infect files that are executed.

Generally they avoid files having the filename to prevent infection of antiviruses:


Barrotes.840 and 849Edit

These variants infect DOS executable only.


This variant does not infect COMMAND.COM before staying memory resident, but F:\LOGIN.EXE instead, if available. It infects every executable that is run, and it does not check whether a file has been infected and it would reinfect the file, making the size of file grows on further infection.

The virus cannot infect files that are larger than 64,409 bytes.

Barrotes.1194, 1222, 1292, 1310, 1447, 1463, 1874 and Tecla.1303Edit

These variants infect any executable that is run, some of them might corrupt the files during infection and result a system hang.

Barrotes.1292 displays the following text when the first infected file is run:

Iniciando Filo-Windows 95
Virus by...

Translation (from Spanish):

Starting file-Windows 95
Virus by...

Barrotes.1310.b, j and k do not infect COMMAND.COM before staying memory resident, this is because of the internal text string, as listed in later section, is not a valid file path. Additionally, variants B and J have anti-debugging feature that would hang the system if the user attempts to open an infected file when any of these variants is in memory.

Barrotes.1310.d and e use i386 instructions to install itself into memory.

Barrotes.Tecla.1303 is the encrypted variant. It infects COMMAND.COM in the same directory instead of that in root, which means C:\COMMAND.COM might not be infected if the virus is located in other directory.


Instead of C:\COMMAND.COM, this variant infects C:\DOS\KEYB.COM when it loads into memory, and this variant would reinfect files.

Memory usageEdit

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
Barrotes.840 1,600
Barrotes.849 1,600
Barrotes.1127 1,600
Barrotes.1194 1,600
Barrotes.1222 1,600
Barrotes.1292 1,552
Barrotes.1310 (A, B, D, I, J and K) 1,600
Barrotes.1310.e 3,200
Barrotes.1447 1,712
Barrotes.1461 1,872
Barrotes.1463 1,728
Barrotes.1874 2,304
Barrotes.Tecla.1303 1,632


When activated, the virus decrypts the payload code, hooks INT 1Ch, displays several vertical bars, and a message at the up-left corner:

Virus BARROTES por OSoft

Translation (from Spanish):

BARROTES Virus by OSoft

Some variants may also destroy the MBR.

Barrotes849 payload

The payload of Barrotes.849

Barrotes.840 and 849Edit

These variants activate on January 5th, they display the message, draw grey vertical bars and destroy the MBR.

Barrotes.1127 and 1292Edit

These variants do not manifest themselves at anyway since their binaries do not contain the code of payload.


This variant is supposed to activate on 1st day in any month, by displaying the message, vertical bars and destroying the MBR, but failed.


This variant activates on May 25th, since it replaced the visible payload code with null characters so that it does not draw anything on screen but it would still hook INT 1Ch and might slow down the system speed a little bit and also to destroy the MBR.

Barrotes.1310.a, b and jEdit

These variants activate on January 5th, they draw colorful vertical bars, and destroys the MBR (except J variant).

For Barrotes.1310.b, if a keyboard input is detected after activation, it crashes the system.

Barrotes.1310.d and eEdit

These variants activate on July 20th. They draw colorful vertical bars and display the following message instead of the original one:

Virus MIKELON por MSoft


This variant activates on May 23th. It draws colorful vertical bars and displays the following message instead of the original one:

Araceli Escobar=ENANA+PUTA


This variant activates on May 19th. It draws colorful vertical bars, destroys the MBR and displays the following message instead of the original one:

Virus SuperDepor vK&S
Barrotes1463 payload

The payload of Barrotes.1463, debugged in order to trigger.

Barrotes.1447 and 1463Edit

These variants destroy the MBR on activation, it also display a message at the top of the screen, and scroll all the text below it to left.

ViRUS de G.D.R. (c)PutoSOfT,  NO HAY NADA COMO G.D.R.  ¿¿ VERDAD ??   ;-)

Translation (from Spanish):


It is originally set to activate on 22nd day of every month (hex value 16h), but failed due to a programming error, it is set to activate on 34th day of every month (22h = 34 in decimal), so the virus would never activate.


This variant activates on March 3rd. It corrupts disk sectors, clears the screen, and displays the message:

This is virus RETRETE!
Don't attempt to recover your disk yourself!


This variant displays message, draws vertical bars and plays a tune on activation. However the method of activation is currently unknown.


This variant activates on September 23rd, it hooks INT 16h to change the scancode of keys that are entered.


This family has 18 variants in total:

  • Virus.DOS.Barrotes.840
  • Virus.DOS.Barrotes.849
  • Virus.DOS.Barrotes.1127
  • Virus.DOS.Barrotes.1194
  • Virus.DOS.Barrotes.1222
  • Virus.DOS.Barrotes.1292
  • Virus.DOS.Barrotes.1310 (A, B, D, E, I, J and K)
  • Virus.DOS.Barrotes.1447
  • Virus.DOS.Barrotes.1461
  • Virus.DOS.Barrotes.1463
  • Virus.DOS.Barrotes.1874
  • Virus.DOS.Barrotes.Tecla.1303

Other detailsEdit

Barrotes hoax prog

The hoax program of Barrotes, makes nothing harmful other than the orange bars blocking the user's view.

A hoax program Hoax.DOS.Barrotes written by BERTOV1, it draws orange bars on the screen when run, but it does nothing harmful to the system.

Virus.DOS.Piolin.1176 (Piolin) has been identified as a variant of Barrotes by some antivirus.

Barrotes.840 contains the internal text strings:


Barrotes.849 and 1292 contain the internal text strings:


Barrotes.1127 contains the internal text strings:

l9 (plus 2 spaces)

Barrotes.1194 contains the internal text strings:


Barrotes.1222 contains the internal text string:

lZ (plus ASCII ADh and ASCII DEh, possibly DEADh)

Barrotes.1310 (A, D and E) contain the internal text strings:


Barrotes.1310.b contain the internal text strings:

Galiza Xakobeo

Barrotes.1310.i contain the internal text strings:


Barrotes.1310.j contain the internal text strings:

Terror Again 97

Barrotes.1310.k contain the internal text strings:

SuperDepor vK&S

Barrotes.1447 and 1463 contain the internal text string:


Barrotes.1461 contains the internal text string:


Barrotes.1874 contains the internal text string:


Barrotes.Tecla.1303 contains the encrypted internal text strings:

Sta Tecla (MAD1)


  1. Descriptions about the Barrotes virus on F-Secure Labs and Online VSUM
  2. List of variants of the Barrotes virus on VX Heaven


Virus.DOS.Barrotes 1310, 1461, 131002:00

Virus.DOS.Barrotes 1310, 1461, 1310.j

Barrotes.1310.b, 1461 and 1310.j review by Alles Sandro



Barrotes virus review by danooct1

Ad blocker interference detected!

Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.