| Alias: | |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | COM and EXE infector |
| Length: | 1600 |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | None |
| Computer model(s): | PC's |
| Caroname: | Barrotes |
Attributes | |
| Easy identification: | |
Type of Infection: | Appending, uses DOS file length to position virus. Selfrec in memory: INT 21h/EEh => AL=FEh Selfrec on disk: file[lastbyte-1..lastbyte] = "SO" |
| Infection Technique: | |
| Infection Trigger: | ExecINFECTION_CRIT: EXEloadSize = EXEfileSize,(COMlength > 256) and (COMlength <= 64002) |
| Storage Media affected: | |
| Interrupts hooked: | 21h/4B00h, 21h/EEh, 24h (during infection) |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient: Resident routine which displays a message and 8 verticalbars down the screen. The display is continually refreshedso as to be atop whatever is on the screen (80x25 textmode). The bars have a sort-of 3D effect, and theircolours (vertical stripes) are cycled by the virus. Permanent: Master Boot Record trashed |
| Damage Trigger: | Transient: (Day = 5th) and (Month = January) Permanent: (Day = 5th) and (Month = January) |
| Particularities: | None Displayed text: "Virus BARROTES por OSoft" (encrypted) Not displayed text: None The virus manipulates the IVT directly when hookinginterrupts. INT 21h/25h is not used. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Paul Ducklin |
| Documentation by: | Paul Ducklin |
| Date: | |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg