Fandom

Malware Wiki

Burma

1,319pages on
this wiki
Add New Page
Comments0 Share

Virus.DOS.Burma is a dangerous file overwriting virus on DOS, it is written by a Bulgarian virus writer Dark Avenger.

There are 10 variants in 3 versions, represented by the following:

  • Virus.DOS.Burma.409
  • Virus.DOS.Burma.442
  • Virus.DOS.Burma.563

BehaviorEdit

The virus first activates by displaying a video effect, then it overwrites the first executable in both DOS and EXE formats from specified directories, after that it changes the current directory to specified place and then return to the DOS prompt.

This virus performs replacement overwriting, by copying itself with the target filename in order to replace it, so that it is not possible to recover the infected files. Additionally, the timestamp of the infected files would be changed to the time of infection.

The virus always points to the first file in both formats in a directory, no matter they have been infected or not, running the virus would always overwrite the same file instead of searching for the first uninfected file. Also, it cannot infect files having the Read-only attribute, if the first executable file has been set to read-only, the virus may not able to spread.

Burma.409Edit

This is the most dangerous variant and it is slightly different from the others. It performs file head overwriting and infects every executable file, plus SYS, ZIP, DAT and OVL files in current directory and all parent directories, including the root directory. The timestamp of the infected files will not be changed.

The virus also infects read-only files, but it does not infect files that are smaller than itself.

The infection area can be illustrated by the following example tree:

C:(root)
|-DIR1
| |-SUB1-1
| |-SUB1-2
|-DIR2
| |-SUB2-1
| |-SUB2-2
| |-SUB2-3
|-DOS

Assume the virus is located in directory SUB1-2, running this infected file would infect files in this directory, DIR1 and root. While the files in SUB1-1, the directory which next to the location of the virus and also a subdirectory of DIR1, and all other directories remain uninfected.

Burma.442, 442.c, 442.d, 442.e, 442.iEdit

These variants overwrite files from current directory and C:\DOS, after that they move the current position to C:\DOS.

Burma.442.bEdit

This variant overwrite files from current directory and the root directory, after that it moves the current position to root.

Burma.563 and 666Edit

These variants overwrite files from the root directory and C:\DOS, i.e. files from other directories are not infected, after that they move the current position to C:\DOS.

For Burma.666, if an infected file already existed in root directory, running the virus would hang the system on attempting to replace the file, thus to empty the content from that file.

Burma.756Edit

This variant overwrites files from current directory, i.e. files in C:\DOS might not be affected, after that it moves the current position to A:, the system would try to read the floppy drive.

If there is no disk inserted into the floppy drive, the system would prompt whether to try again, abort or stop, if the user chooses abort, the virus infects nothing. However, if there is a disk in the drive, the virus would hang the system on attempting the file replacement, which would empty the content from the files which to be infected.

After a failing access to A:, the virus returns to the same directory instead of C:\DOS.

PayloadEdit

Flushing the characters on screen like a toilet is the payload of these variants, followed by displaying message, while Burma.409, 442.c and 442.d do not.

Burma.409Edit

This variant does not manifest itself, but since the kernel system files have been overwritten, the system would not be able to start anymore, the user must reinstall the system.

Burma442

Burma.442 in action

Burma.442, 442.b, 442.eEdit

After the payload these variants display the following text:

[Tempest - α]

Burma.442.c and 442.dEdit

These variants do not have the video effect and no text would be displayed, but an extra empty line.

Burma.442.iEdit

This variant flushes the characters without displaying any text afterwards.

Burma.563, 666 and 756Edit

After the payload they display the following text:

Reading system configuration, please wait.
S_w_i_z_z_l_e_S_t_y_x_x_!

The underscores represent the ASCII character 01h.

Burma.756 also features a sound effect.

VariantsEdit

This family has 10 variants in total:

  • Virus.DOS.Burma.409
  • Virus.DOS.Burma.442 (plus B, C, D, E and I)
  • Virus.DOS.Burma.563
  • Virus.DOS.Burma.666
  • VIrus.DOS.Burma.756

Other detailsEdit

The sizes of the original sample of Burma.442.c and 442.d are only around 230 bytes, but files overwritten by them still have the size of 442 bytes, while the code of the characters flushing payload are completely empty.

Burma.409 contains the internal text string:

*.COM
*.EXE
*.ZIP
*.DAT
*.SYS
*.OVL
Tempest - α Of LuxemburgVaginal Discharge

Burma.442, 442.b and 442.e contain the internal text string:

*.?x?
*.?o?
\DOS
[Tempest - α]
Rangoon, Burma

Burma.442.c, 442.d and 442.i contain the internal text string:

*.?x?
*.?o?
\DOS

Burma.563, 666 and 756 contain the internal text string (the underscores as the ASCII character 01h):

*.?x?
*.?o?
\DOS
D_a_r_k_A_v_e_n_g_e_r

VideosEdit

Virus.DOS.Burma01:02

Virus.DOS.Burma.409

Virus.DOS.Burma.409 review by Alles Sandro

Virus.DOS.Burma00:55

Virus.DOS.Burma.442, 563, 756

Virus.DOS.Burma on Virtual PC

Burma DOS Virus00:13

Burma DOS Virus

Virus.DOS.Burma on Standalone PC

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.