FANDOM


Virus.DOS.Beda is a memory resident parasitic virus on DOS, and some variants have the self-encrypting ability.

There are 16 variants in 6 versions, represented by the following:

  • Virus.DOS.Beda.332
  • Virus.DOS.Beda.337
  • Virus.DOS.Beda.609
  • Virus.DOS.Beda.883
  • Virus.DOS.Beda.1530
  • Virus.DOS.Beda.3233

BehaviorEdit

When the virus is loaded into memory, it hooks INT 21h and writes itself to the end of files that are run or closed. When an infected file is opened, the virus disinfects it temporarily, but it would be infected again on closing.

The virus uses BEDAh hexadecimal value as the virus' identification for infected files, and on detection of the virus TSR copy which has been loaded. During infection the virus might corrupt the file to be infected, making the system to crash when the file is executed.

The infection size varies in different files.

Beda.332Edit

This variant is believed to be the very first version of the Beda family. It infects DOS executable files only, but it contains bugs that not every file that are executed will be infected. This virus does not check whether a file has already infected so it would reinfect when the file is run again, thus to grow the size of the file.

The timestamp of the infected files will be changed to the time of infection.

Beda.337, 403, 419, 420, 552, 883, 1196 and 1301Edit

Unlike Beda.332, they infect every DOS executable that is run, and they do not reinfect files.

For Beda.337, 403, 419 and 420, the timestamp of the infected files will be changed to the time of infection. While that for the rest, it will be malformed by changing the date to random values and 23:54:52 for the time.

Beda.609Edit

This is the only variant that infects EXE executables only, and the timestamp will be changed to the time of infection. Additionally, this variant contains bugs that might crash the system due to attempting to access an invalid part of memory during execution.

Beda.1314, 1530, 1724 and 1857Edit

These variants infect every executable that is run, and the timestamp of the infected files will be malformed by changing the date to invalid values and 23:54:52 for the time.

Beda.3233 and 3291Edit

These are encrypted variants. They infect every DOS executable that is run, and the timestamp of the infected files will be malformed by changing the date to invalid values and 23:54:52 for the time.

For EXE executable, not every file would be infected by these variants.

Advanced detailsEdit

The TSR memory usage of the variants are shown below:

Variant Memory usage in bytes
Beda.332 1,024
Beda.337 1,024
Beda.403 1,024
Beda.419 1,024
Beda.420 1,024
Beda.552 1,024
Beda.609 640
Beda.883 2,048
Beda.1196 3,072
Beda.1301 3,072
Beda.1314 3,072
Beda.1530 3,072
Beda.1724 3,072
Beda.1857 3,072
Beda.3233 4,096
Beda.3291 4,096

MD5 hashes:

Variant Hash
Beda.332 695f3909fc94244295b2dcaadd9414aa
Beda.337 592cfbb4c79a690cccdc1f9d5a6385a7
Beda.403 44583bf238a79b837ff695f4f4a652d3
Beda.419 800a731174e01cb90696c6c72e5887df
Beda.420 4b72f216bea0684b3092dc3bd60bb331
Beda.552 3e4bd07bd0709fb7602f170ae5e3f954
Beda.609 c078e6e3e59202e1a12b014ebc3df082
Beda.883 5f1716a070ba48b371453ff13c5a13be
Beda.1196 e58e1308aadf6eca6715ecca5debd76a
Beda.1301 15b12f394eb3e7b72c62dc05ada49729
Beda.1314 fe2bb8fed247cfdd8b2f5bd2d05373d1
Beda.1530 e80f0c81998ed8be660a4e6d3f6b79e4
Beda.1724 30be3b810caba1fd274a9a803dc386df
Beda.1857 991f8ddb92f0ff0834dc06c1dd46bec9
Beda.3233 9ac0ca349d542205513ab6d21e0c27d7
Beda.3291 6c628c551284eb7f64cfaaeba4922d5e

PayloadEdit

Beda.332, 337, 420 and 609Edit

These variants do not manifest themselves at any way.

Beda.403Edit

When a file infected by this variant is run, the virus appends 4 extra blank lines and a message:

WOODPECKER WARNING !

And then it thickens the cursor to insert mode style.

Beda.419 and 552Edit

These variants play a cord from the PC speaker when an infected file is run.

Beda.883, 1196 and 1301Edit

These variants manifest themselves with a video effect, they draw 3 moving color bars (red, green and blue) on screen, it can be cleared and would return to DOS upon a keypress.

This is the only version that would produce the video effect.

Beda.1314Edit

This variant is a pre-release of the file deleting version (Beda.1530 and so on) and it does not manifest itself at anyway.

Beda.1530, 1724, 1857, 3233 and 3291Edit

These variants are relatively dangerous. They detect every file whether the filename begins with any of the following text strings in attempt to delete anti-virus programs:

-V AIDSTEST A-DINF WEB

When such program is run, the virus outputs a message:

Bad Command or file name

And then it deletes the file which is same as that of Jerusalem.

They also hook INT 9, and depending on their internal counters they change the keys that are entered:

n -> y
N -> Y

Except Beda.1530, when an infected program is run in November or December, the virus resets the computer. If COMMAND.COM has been infected, the computer would keep on resetting in an infinite loop in these months.

Beda.3233 and 3291 contain another payload but the method of activation is currently unknown.

VariantsEdit

This family has 16 variants in total:

  • Virus.DOS.Beda.332
  • Virus.DOS.Beda.337
  • Virus.DOS.Beda.403
  • Virus.DOS.Beda.419
  • Virus.DOS.Beda.420
  • Virus.DOS.Beda.552
  • Virus.DOS.Beda.609
  • Virus.DOS.Beda.883
  • Virus.DOS.Beda.1196
  • Virus.DOS.Beda.1301
  • Virus.DOS.Beda.1314
  • Virus.DOS.Beda.1530
  • Virus.DOS.Beda.1724
  • Virus.DOS.Beda.1857
  • Virus.DOS.Beda.3233
  • Virus.DOS.Beda.3291

Other detailsEdit

A noticeable delay can be observed when a file infected by Beda.1301, 1196, 1314, 1530 or 1857 is run.

Beda.403 contains the internal text string:

WOODPECKER WARNING !

Beda.1724 contains the internal text string:

07/28/98

Beda.1857 contains the internal text string:

05/05/91

Beda.3233 contains the encrypted internal text strings:

_ister _anilov why you add in my family viruses ____-338 and ___-352 ?
07/28/98

The capital letters have been encrypted twice, but the original text string is as same as that in Beda.3291.

Beda.3291 contains the encrypted internal text strings:

Mister Danilov why you add in my family viruses BEDA-338 and BEDA-352 ?
02/06/96

ReferencesEdit

  1. Beda virus description on Online VSUM
  2. List of variants of the Beda virus on VX Heaven

VideosEdit

Virus.DOS02:38

Virus.DOS.Beda

Beda virus review by danooct1

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.