There are 16 variants in 6 versions, represented by the following:
When the virus is loaded into memory, it hooks INT 21h and writes itself to the end of files that are run or closed. When an infected file is opened, the virus disinfects it temporarily, but it would be infected again on closing.
The virus uses BEDAh hexadecimal value as the virus' identification for infected files, and on detection of the virus TSR copy which has been loaded. During infection the virus might corrupt the file to be infected, making the system to crash when the file is executed.
The infection size varies in different files.
This variant is believed to be the very first version of the Beda family. It infects DOS executable only, but it contains bugs that not every file that are executed will be infected. This virus does not check whether a file has already infected so it would reinfect when the file is run again, thus to grow the size of the file.
The timestamp of the infected files will be changed to the time of infection.
Beda.337, 403, 419, 420, 552, 883, 1196 and 1301
Unlike Beda.332, they infect every DOS executable that is run, and they do not reinfect files.
For Beda.337, 403, 419 and 420, the timestamp of the infected files will be changed to the time of infection. While that for the rest, it will be malformed by changing the date to random values and 23:54:52 for the time.
This is the only variant that infects EXE executables only, and the timestamp will be changed to the time of infection. Additionally, this variant contains bugs that might cause a system crash due to attempting to access an invalid part of memory during execution.
Beda.1314, 1530, 1724 and 1857
These variants infect every executable that is run, and the timestamp of the infected files will be malformed by changing the date to invalid values and 23:54:52 for the time.
Beda.3233 and 3291
These are encrypted variants. They infect every DOS executable that is run, and the timestamp of the infected files will be malformed by changing the date to invalid values and 23:54:52 for the time.
For EXE executable, not every file would be infected by these variants.
The following table shows the memory usage of the variants.
|Variant||Memory usage in bytes|
Beda.332, 337, 420 and 609
These variants do not manifest themselves at any way.
When a file infected by this variant is run, the virus appends 4 extra blank lines and a message:
WOODPECKER WARNING !
And then it thickens the cursor to insert mode style.
Beda.419 and 552
These variants play a cord from the PC speaker when an infected file is run.
Beda.883, 1196 and 1301
These variants manifest themselves with a video effect, they draw 3 moving color bars (red, green and blue) on screen, it can be cleared and would return to DOS upon a keypress.
This is the only version that would produce the video effect.
This variant is a pre-release of the file deleting version (Beda.1530 and so on) and it does not manifest itself at anyway.
Beda.1530, 1724, 1857, 3233 and 3291
These variants are relatively dangerous. They detect every file whether the filename begins with any of the following text strings in attempt to delete anti-virus programs:
-V AIDSTEST A-DINF WEB
When such program is run, the virus outputs a message:
Bad Command or file name
And then it deletes the file which is same as that of Jerusalem.
They also hook INT 9, and depending on their internal counters they change the keys that are entered:
n -> y N -> Y
Except Beda.1530, when an infected program is run in November or December, the virus resets the computer. If COMMAND.COM has been infected, the computer would keep on resetting in an infinite loop in these months.
Beda.3233 and 3291 contain another payload but the method of activation is currently unknown.
This family has 16 variants in total:
A noticeable delay can be observed when a file infected by Beda.1301, 1196, 1314, 1530 or 1857 is run.
Beda.403 contains the internal text string:
WOODPECKER WARNING !
Beda.1724 contains the internal text string:
Beda.1857 contains the internal text string:
Beda.3233 contains the encrypted internal text strings:
_ister _anilov why you add in my family viruses ____-338 and ___-352 ? 07/28/98
The capital letters have been encrypted twice, but the original text string is as same as that in Beda.3291.
Beda.3291 contains the encrypted internal text strings:
Mister Danilov why you add in my family viruses BEDA-338 and BEDA-352 ? 02/06/96