FANDOM


Virus.DOS.Beda is a memory resident parasitic virus on DOS, and some variants have the self-encrypting ability.

There are 16 variants in 6 versions, represented by the following:

  • Virus.DOS.Beda.332
  • Virus.DOS.Beda.337
  • Virus.DOS.Beda.609
  • Virus.DOS.Beda.883
  • Virus.DOS.Beda.1530
  • Virus.DOS.Beda.3233

Behavior

When the virus is loaded into memory, it hooks INT 21h and writes itself to the end of files that are run or closed. When an infected file is opened, the virus disinfects it temporarily, but it would be infected again on closing.

The virus uses BEDAh hexadecimal value as the virus' identification for infected files, and on detection of the virus TSR copy which has been loaded. During infection the virus might corrupt the file to be infected, making the system to crash when the file is executed.

The infection size varies in different files.

Beda.332

This variant is believed to be the very first version of the Beda family. It infects DOS executable only, but it contains bugs that not every file that are executed will be infected. This virus does not check whether a file has already infected so it would reinfect when the file is run again, thus to grow the size of the file.

The timestamp of the infected files will be changed to the time of infection.

Beda.337, 403, 419, 420, 552, 883, 1196 and 1301

Unlike Beda.332, they infect every DOS executable that is run, and they do not reinfect files.

For Beda.337, 403, 419 and 420, the timestamp of the infected files will be changed to the time of infection. While that for the rest, it will be malformed by changing the date to random values and 23:54:52 for the time.

Beda.609

This is the only variant that infects EXE executables only, and the timestamp will be changed to the time of infection. Additionally, this variant contains bugs that might cause a system crash due to attempting to access an invalid part of memory during execution.

Beda.1314, 1530, 1724 and 1857

These variants infect every executable that is run, and the timestamp of the infected files will be malformed by changing the date to invalid values and 23:54:52 for the time.

Beda.3233 and 3291

These are encrypted variants. They infect every DOS executable that is run, and the timestamp of the infected files will be malformed by changing the date to invalid values and 23:54:52 for the time.

For EXE executable, not every file would be infected by these variants.

Memory usage

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
Beda.332 1,024
Beda.337 1,024
Beda.403 1,024
Beda.419 1,024
Beda.420 1,024
Beda.552 1,024
Beda.609 640
Beda.883 2,048
Beda.1196 3,072
Beda.1301 3,072
Beda.1314 3,072
Beda.1530 3,072
Beda.1724 3,072
Beda.1857 3,072
Beda.3233 4,096
Beda.3291 4,096

Payload

Beda.332, 337, 420 and 609

These variants do not manifest themselves at any way.

Beda.403

When a file infected by this variant is run, the virus appends 4 extra blank lines and a message:

WOODPECKER WARNING !

And then it thickens the cursor to insert mode style.

Beda.419 and 552

These variants play a cord from the PC speaker when an infected file is run.

Beda.883, 1196 and 1301

These variants manifest themselves with a video effect, they draw 3 moving color bars (red, green and blue) on screen, it can be cleared and would return to DOS upon a keypress.

This is the only version that would produce the video effect.

Beda.1314

This variant is a pre-release of the file deleting version (Beda.1530 and so on) and it does not manifest itself at anyway.

Beda.1530, 1724, 1857, 3233 and 3291

These variants are relatively dangerous. They detect every file whether the filename begins with any of the following text strings in attempt to delete anti-virus programs:

-V AIDSTEST A-DINF WEB

When such program is run, the virus outputs a message:

Bad Command or file name

And then it deletes the file which is same as that of Jerusalem.

They also hook INT 9, and depending on their internal counters they change the keys that are entered:

n -> y
N -> Y

Except Beda.1530, when an infected program is run in November or December, the virus resets the computer. If COMMAND.COM has been infected, the computer would keep on resetting in an infinite loop in these months.

Beda.3233 and 3291 contain another payload but the method of activation is currently unknown.

Variants

This family has 16 variants in total:

  • Virus.DOS.Beda.332
  • Virus.DOS.Beda.337
  • Virus.DOS.Beda.403
  • Virus.DOS.Beda.419
  • Virus.DOS.Beda.420
  • Virus.DOS.Beda.552
  • Virus.DOS.Beda.609
  • Virus.DOS.Beda.883
  • Virus.DOS.Beda.1196
  • Virus.DOS.Beda.1301
  • Virus.DOS.Beda.1314
  • Virus.DOS.Beda.1530
  • Virus.DOS.Beda.1724
  • Virus.DOS.Beda.1857
  • Virus.DOS.Beda.3233
  • Virus.DOS.Beda.3291

Other details

A noticeable delay can be observed when a file infected by Beda.1301, 1196, 1314, 1530 or 1857 is run.

Beda.403 contains the internal text string:

WOODPECKER WARNING !

Beda.1724 contains the internal text string:

07/28/98

Beda.1857 contains the internal text string:

05/05/91

Beda.3233 contains the encrypted internal text strings:

_ister _anilov why you add in my family viruses ____-338 and ___-352 ?
07/28/98

The capital letters have been encrypted twice, but the original text string is as same as that in Beda.3291.

Beda.3291 contains the encrypted internal text strings:

Mister Danilov why you add in my family viruses BEDA-338 and BEDA-352 ?
02/06/96

References

  1. Beda virus description on Online VSUM
  2. Index of Beda virus on VX Heaven

Videos

Virus.DOS02:38

Virus.DOS.Beda

Beda virus review by danooct1

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.