Virus.DOS.Burma is a dangerous file overwriting virus on DOS, it is written by a Bulgarian virus writer Dark Avenger.

There are 10 variants in 3 versions, represented by the following:

  • Virus.DOS.Burma.409
  • Virus.DOS.Burma.442
  • Virus.DOS.Burma.563


The virus first activates by displaying a video effect, then it overwrites the first executable in both DOS and EXE formats from specified directories excluding COMMAND.COM, after that it changes the current directory to specified place and then return to the DOS prompt.

This virus performs replacement overwriting, by copying itself with the target filename in order to replace it, so that it is not possible to recover the infected files. Additionally, the timestamp of the infected files would be changed to the time of infection.

The virus always points to the first file in both formats in a directory, no matter they have been infected or not, running the virus would always overwrite the same file instead of searching for the first uninfected file. However, it cannot infect files having the Read-only attribute, if this attribute has been set in the first executable file, the virus might not be able to spread.


This is the most dangerous variant and it is slightly different from the others. It performs file head overwriting and infects every executable file, plus SYS, ZIP, DAT and OVL files in current directory and all parent directories, including the root directory. The timestamp of the infected files will not be changed.

The virus also infects read-only files, but it does not infect files that are smaller than itself.

The infection area can be illustrated by the following example tree:

| |-SUB1-1
| |-SUB1-2
| |-SUB2-1
| |-SUB2-2
| |-SUB2-3

Assume the virus is located in directory SUB1-2, running this infected file would infect files in this directory, DIR1 and root. While the files in SUB1-1, the directory which next to the location of the virus and also a subdirectory of DIR1, and all other directories remain uninfected.

Burma.442, 442.c, 442.d, 442.e, 442.iEdit

These variants overwrite files from current directory and C:\DOS, after that they move the current position to C:\DOS.


This variant overwrite files from current directory and the root directory, after that it moves the current position to root.

Burma.563 and 666Edit

These variants overwrite files from the root directory and C:\DOS, i.e. files from other directories are not infected, after that they move the current position to C:\DOS.

For Burma.666, if an infected file already existed in root directory, running the virus would hang the system on attempting to replace the file, thus to empty the content from that file.


This variant overwrites files from current directory, i.e. files in C:\DOS might not be affected, after that it moves the current position to A:, the system would try to read the floppy drive.

If there is no disk inserted into the floppy drive, the system would prompt whether to try again, abort or stop, if the user chooses abort, the virus infects nothing. However, if there is a disk in the drive, the virus would hang the system on attempting the file replacement, which would empty the content from the files which to be infected.

After a failing access to A:, the virus returns to the same directory instead of C:\DOS.

Advanced detailsEdit

This virus does not stay memory resident after termination.

MD5 hashes:

Variant Hash
Burma.409 1418454d4dac4fa466393b1ff7651008
Burma.442 856f91a2165eb7eb9e4eeaf702b05278
Burma.442.b 9d3dd6d5dd54e8fbba1ed3bf043fb173
Burma.442.c cab7b19e0ec491b47bfbde201103df9e
Burma.442.d faa8f1ecd7ecf80b71ee6d0319bac3ba
Burma.442.e d7d893cfd73c226bed182485048fc5f4
Burma.442.i 4377cbf845162e5cfc2459a144281b84
Burma.563 f5c2b2ae9963fb4b28ff4420a07f6320
Burma.666 1e45addfabaecf2aa5675209db5a9861
Burma.756 3e96c24a08afa888aa613b1d9f54c2f8


Flushing the characters on screen like a toilet is the payload of these variants, followed by displaying message, while Burma.409, 442.c and 442.d do not feature this.


This variant does not manifest itself, but since the kernel system files (especially IO.SYS and MSDOS.SYS) have been overwritten, the system would not be able to start anymore so that the user must reinstall the system.


Burma.442 in action

Burma.442, 442.b, 442.eEdit

After the payload these variants display the following text:

[Tempest - α]

Burma.442.c and 442.dEdit

These variants do not have the video effect and no text would be displayed, but an extra empty line.


This variant flushes the characters without displaying any text afterwards.

Burma.563, 666 and 756Edit

After the payload they display the following text:

Reading system configuration, please wait.

The underscores represent the ASCII character 01h.

Burma.756 also features a sound effect.


This family has 10 variants in total:

  • Virus.DOS.Burma.409
  • Virus.DOS.Burma.442 (plus B, C, D, E and I)
  • Virus.DOS.Burma.563
  • Virus.DOS.Burma.666
  • Virus.DOS.Burma.756

Other detailsEdit

The sizes of the original sample of Burma.442.c and 442.d are only around 230 bytes, but files overwritten by them still have the size of 442 bytes, while the code of the characters flushing payload are completely empty.

Burma.409 contains the internal text string:

Tempest - α Of LuxemburgVaginal Discharge

Burma.442, 442.b and 442.e contain the internal text string:

[Tempest - α]
Rangoon, Burma

Burma.442.c, 442.d and 442.i contain the internal text string:


Burma.563, 666 and 756 contain the internal text string (the underscores as the ASCII character 01h):



  1. List of variants of the Burma virus on VX Heaven




Virus.DOS.Burma.409 review by Alles Sandro


Virus.DOS.Burma.442, 563, 756

Virus.DOS.Burma on Virtual PC

Burma DOS Virus00:13

Burma DOS Virus

Virus.DOS.Burma on Standalone PC

Ad blocker interference detected!

Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.