FANDOM


Virus.DOS.Barrotes (Bars in Spanish) is a dangerous memory resident parasitic virus on DOS. Displaying vertical bars and/or destroying MBR are the main characteristics of this family.

There are 17 variants, plus 1 sub-variant, having different infection behaviors, activation days or payloads.

Behavior

When the virus is loaded into memory, it first infects C:\COMMAND.COM, followed by hooking INT 21h to infect files that are executed.

Generally they avoid files having the filename to prevent infection of antiviruses:

MSAV MWAV

Barrotes.840 and 849

These variants infect DOS executable only.

Barrotes.1127

This variant does not infect COMMAND.COM before staying memory resident, but F:\LOGIN.EXE instead, if available. It infects every executable that is run, and it does not check whether a file has been infected and it would reinfect the file, making the size of file grows on further infection.

The virus cannot infect files that are larger than 64,409 bytes.

Barrotes.1194, 1222, 1292, 1310, 1447, 1463, 1874 and Tecla.1303

These variants infect any executable that is run, some of them might corrupt the files during infection and result a system hang.

Barrotes.1292 displays the following text when the first infected file is run:

Iniciando Filo-Windows 95
Virus by...

Translation (from Spanish):

Starting file-Windows 95
Virus by...

Barrotes.1310.b, j and k do not infect COMMAND.COM before staying memory resident, this is because of the internal text string, as listed in later section, is not a valid file path. Additionally, variants B and J have anti-debugging feature that would hang the system if the user attempts to open an infected file when any of these variants is in memory.

Barrotes.1310.d and e use i386 instructions to install itself into memory.

Barrotes.Tecla.1303 is the encrypted variant. It infects COMMAND.COM in the same directory instead of that in root, which means C:\COMMAND.COM might not be infected if the virus is located in other directory.

Barrotes.1461

Instead of C:\COMMAND.COM, this variant infects C:\DOS\KEYB.COM when it loads into memory, and this variant would reinfect files.

Memory usage

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
Barrotes.840 1,600
Barrotes.849 1,600
Barrotes.1127 1,600
Barrotes.1194 1,600
Barrotes.1222 1,600
Barrotes.1292 1,552
Barrotes.1310 (A, B, D, I, J and K) 1,600
Barrotes.1310.e 3,200
Barrotes.1447 1,712
Barrotes.1461 1,872
Barrotes.1463 1,728
Barrotes.1874 2,304
Barrotes.Tecla.1303 1,632

Payload

When activated, the virus decrypts the payload code, hooks INT 1Ch, displays several vertical bars, and a message at the up-left corner:

Virus BARROTES por OSoft

Translation (from Spanish):

BARROTES Virus by OSoft

Some variants may also destroy the MBR.

Barrotes849 payload

The payload of Barrotes.849

Barrotes.840 and 849

These variants activate on January 5th, they display the message, draw grey vertical bars and destroy the MBR.

Barrotes.1127 and 1292

These variants do not manifest themselves at anyway since their binaries do not contain the code of payload.

Barrotes.1194

This variant is supposed to activate on 1st day in any month, by displaying the message, vertical bars and destroying the MBR, but failed.

Barrotes.1222

This variant activates on May 25th, since it replaced the visible payload code with null characters so that it does not draw anything on screen but would slow down the system speed and destroy MBR.

Barrotes.1310.a, b and j

These variants activate on January 5th, they draw colorful vertical bars, and destroys the MBR (except J variant).

For Barrotes.1310.b, if a keyboard input is detected after activation, it crashes the system.

Barrotes.1310.d and e

These variants activate on July 20th. They draw colorful vertical bars and display the following message instead of the original one:

Virus MIKELON por MSoft

Barrotes.1310.i

This variant activates on May 23th. It draws colorful vertical bars and displays the following message instead of the original one:

Araceli Escobar=ENANA+PUTA

Barrotes.1310.k

This variant activates on May 19th. It draws colorful vertical bars, destroys the MBR and displays the following message instead of the original one:

Virus SuperDepor vK&S
Barrotes1463 payload

The payload of Barrotes.1463, debugged in order to trigger.

Barrotes.1447 and 1463

These variants destroy the MBR on activation, it also display a message at the top of the screen, and scroll all the text below it to left.

ViRUS de G.D.R. (c)PutoSOfT,  NO HAY NADA COMO G.D.R.  ¿¿ VERDAD ??   ;-)

Translation (from Spanish):

ViRUS by G.D.R. (c)WhoreSOFT, THERE IS NOTHING LIKE G.D.R. RIGHT ?? ;-)

It is originally set to activate on 22nd day of every month (hex value 16h), but failed due to a programming error, it is set to activate on 34th day of every month (22h = 34 in decimal), so the virus would never activate.

Barrotes.1461

This variant activates on March 3rd. It corrupts disk sectors, clears the screen, and displays the message:

This is virus RETRETE!
Don't attempt to recover your disk yourself!

Barrotes.1874

This variant displays message, draws vertical bars and plays a tune on activation. However the method of activation is currently unknown.

Barrotes.Tecla.1303

This variant activates on September 23rd, it hooks INT 16h to change the scancode of keys that are entered.

Variants

This family has 18 variants in total:

  • Virus.DOS.Barrotes.840
  • Virus.DOS.Barrotes.849
  • Virus.DOS.Barrotes.1127
  • Virus.DOS.Barrotes.1194
  • Virus.DOS.Barrotes.1222
  • Virus.DOS.Barrotes.1292
  • Virus.DOS.Barrotes.1310 (A, B, D, E, I, J and K)
  • Virus.DOS.Barrotes.1447
  • Virus.DOS.Barrotes.1461
  • Virus.DOS.Barrotes.1463
  • Virus.DOS.Barrotes.1874
  • Virus.DOS.Barrotes.Tecla.1303

Other details

Barrotes hoax prog

The hoax program of Barrotes, makes nothing harmful other than the orange bars blocking the user's view.

A hoax program Hoax.DOS.Barrotes written by BERTOV1, it draws orange bars on the screen when run, but it does nothing harmful to the system.

Virus.DOS.Piolin.1176 (Piolin) has been identified as a variant of Barrotes by some antivirus.

Barrotes.840 contains the internal text strings:

c:\command.com
OS

Barrotes.849 and 1292 contain the internal text strings:

c:\command.com
SO

Barrotes.1127 contains the internal text strings:

f:\login.exe
l9 (plus 2 spaces)

Barrotes.1194 contains the internal text strings:

c:\command.com
l7XS

Barrotes.1222 contains the internal text string:

lZ (plus ASCII ADh and ASCII DEh, possibly DEADh)

Barrotes.1310 (A, D and E) contain the internal text strings:

c:\command.com
l7SO

Barrotes.1310.b contain the internal text strings:

Galiza Xakobeo
l7SO

Barrotes.1310.i contain the internal text strings:

c:\command.com
l7MV

Barrotes.1310.j contain the internal text strings:

Terror Again 97
l7SO

Barrotes.1310.k contain the internal text strings:

SuperDepor vK&S
l7SO

Barrotes.1447 and 1463 contain the internal text string:

c:\command.com
loXX

Barrotes.1461 contains the internal text string:

c:\dos\keyb.com

Barrotes.1874 contains the internal text string:

c:\COMMAND.com

Barrotes.Tecla.1303 contains the encrypted internal text strings:

C:\COMMAND.COM
Sta Tecla (MAD1)
ST

References

  1. Barrotes virus description on F-Secure Labs and Online VSUM
  2. Index of Barrotes on VX Heaven

Videos

Virus.DOS.Barrotes 1310, 1461, 131002:00

Virus.DOS.Barrotes 1310, 1461, 1310.j

Barrotes.1310.b, 1461 and 1310.j review by Alles Sandro

Virus.DOS00:31

Virus.DOS.Barrotes

Barrotes virus review by danooct1

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.