Malware Wiki


1,335pages on
this wiki
Add New Page
Comments0 Share

Virus.DOS.Burma is a dangerous file overwriting virus on DOS, it is written by a Bulgarian virus writer Dark Avenger.

There are 10 variants in 3 versions, represented by the following:

  • Virus.DOS.Burma.409
  • Virus.DOS.Burma.442
  • Virus.DOS.Burma.563


The virus first activates by displaying a video effect, then it overwrites the first executable in both DOS and EXE formats from specified directories, after that it changes the current directory to specified place and then return to the DOS prompt.

This virus performs replacement overwriting, by copying itself with the target filename in order to replace it, so that it is not possible to recover the infected files. Additionally, the timestamp of the infected files would be changed to the time of infection.

The virus always points to the first file in both formats in a directory, no matter they have been infected or not, running the virus would always overwrite the same file instead of searching for the first uninfected file. However, it cannot infect files having the Read-only attribute, if the first executable file has been set to read-only, the virus may not able to spread.


This is the most dangerous variant and it is slightly different from the others. It performs file head overwriting and infects every executable file, plus SYS, ZIP, DAT and OVL files in current directory and all parent directories, including the root directory. The timestamp of the infected files will not be changed.

The virus also infects read-only files, but it does not infect files that are smaller than itself.

The infection area can be illustrated by the following example tree:

| |-SUB1-1
| |-SUB1-2
| |-SUB2-1
| |-SUB2-2
| |-SUB2-3

Assume the virus is located in directory SUB1-2, running this infected file would infect files in this directory, DIR1 and root. While the files in SUB1-1, the directory which next to the location of the virus and also a subdirectory of DIR1, and all other directories remain uninfected.

Burma.442, 442.c, 442.d, 442.e, 442.i

These variants overwrite files from current directory and C:\DOS, after that they move the current position to C:\DOS.


This variant overwrite files from current directory and the root directory, after that it moves the current position to root.

Burma.563 and 666

These variants overwrite files from the root directory and C:\DOS, i.e. files from other directories are not infected, after that they move the current position to C:\DOS.

For Burma.666, if an infected file already existed in root directory, running the virus would hang the system on attempting to replace the file, thus to empty the content from that file.


This variant overwrites files from current directory, i.e. files in C:\DOS might not be affected, after that it moves the current position to A:, the system would try to read the floppy drive.

If there is no disk inserted into the floppy drive, the system would prompt whether to try again, abort or stop, if the user chooses abort, the virus infects nothing. However, if there is a disk in the drive, the virus would hang the system on attempting the file replacement, which would empty the content from the files which to be infected.

After a failing access to A:, the virus returns to the same directory instead of C:\DOS.


Flushing the characters on screen like a toilet is the payload of these variants, followed by displaying message, while Burma.409, 442.c and 442.d do not feature this.


This variant does not manifest itself, but since the kernel system files (especially IO.SYS and MSDOS.SYS) have been overwritten, the system would not be able to start anymore so that the user must reinstall the system.


Burma.442 in action

Burma.442, 442.b, 442.e

After the payload these variants display the following text:

[Tempest - α]

Burma.442.c and 442.d

These variants do not have the video effect and no text would be displayed, but an extra empty line.


This variant flushes the characters without displaying any text afterwards.

Burma.563, 666 and 756

After the payload they display the following text:

Reading system configuration, please wait.

The underscores represent the ASCII character 01h.

Burma.756 also features a sound effect.


This family has 10 variants in total:

  • Virus.DOS.Burma.409
  • Virus.DOS.Burma.442 (plus B, C, D, E and I)
  • Virus.DOS.Burma.563
  • Virus.DOS.Burma.666
  • Virus.DOS.Burma.756

Other details

The sizes of the original sample of Burma.442.c and 442.d are only around 230 bytes, but files overwritten by them still have the size of 442 bytes, while the code of the characters flushing payload are completely empty.

Burma.409 contains the internal text string:

Tempest - α Of LuxemburgVaginal Discharge

Burma.442, 442.b and 442.e contain the internal text string:

[Tempest - α]
Rangoon, Burma

Burma.442.c, 442.d and 442.i contain the internal text string:


Burma.563, 666 and 756 contain the internal text string (the underscores as the ASCII character 01h):





Virus.DOS.Burma.409 review by Alles Sandro


Virus.DOS.Burma.442, 563, 756

Virus.DOS.Burma on Virtual PC

Burma DOS Virus00:13

Burma DOS Virus

Virus.DOS.Burma on Standalone PC

Ad blocker interference detected!

Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.