Burger | |
---|---|
Type | File virus |
Creator | Ralf Burger |
Date Discovered | JUL-1986 |
Place of Origin | Germany |
Source Language | Assembly |
Platform | DOS |
File Type(s) | .com, exe |
Infection Length | 500 bytes |
Burger is a virus coded by Ralf Burger, the creator of Virdem. It is one of a few viruses created in 1986. It is also the first to be able to infect more than one file format, infecting .com and .exe files.
Behavior
When Burger is executed, it searches for the first .com file alphabetically in the current directory. If it finds no .com files, it will look in the first subdirectory for .com files. It searches the drive for all .exe and converts them to .com files so they can be infected. If the virus finds no .com or .exe files, it will overwrite the disk with random junk.
When Burger finds a file it can infect, it infects the file by overwriting it. The virus can bypass DOS write protection. When that file is executed, the virus infects the next file listed alphabetically. It will not infect a file a second time.
Burger is not intentionally destructive, but it may cause the system to crash or some programs to stop working. When some infected files are run, they may crash the system, as certain vital parts may be overwritten. If the file infected is COMMAND.COM, the system will not boot. Files changed from an .exe to a .com that are over a certain size may display a message similar to "Program too large to fit in memory" when they are run.
Variants
The full source code with instructions on how to assemble it is available in Ralf Burger's book, Computer Viruses: A High-Tech Disease, probably the reason that many variants have been reported. Burger even gives some suggestions on how to change the virus, mostly on how to make it smaller.
One variant from Taiwan is only 382 bytes long. Another from Portugal, Burger.Pirate is larger, weighing in at 609 bytes. A 405-byte variant contains an error that causes it to infect files multiple times.
Origin
Burger was completed in July of 1986 by Ralf Burger in West Germany. Similar to the Brain virus, it was a method of copy protection for Burger's Plot3d program. While it allows copying the program to the hard disk without issue, the virus activates if the original disk is not found in the floppy drive. In a letter dated 30-JUL-1986, Burger sent a letter to his customers informing them of this fact. Some customers responded, clearly not understanding the concept, some saying they "had no need" for such programs, others wanting to market the virus.
Name
Ralf Burger simply named the virus "Program Virus". Most antivirus products call the virus "Burger" after the creator. Today, this would be in violation of the CARO naming guidelines, but this virus predates CARO by several years.
Antivirus Aliases
- Avast: Virdem family
- Avira: Burger-A virus
- BitDefender: Burger.560.CF
- ClamAV: Virdem-Family
- F-Prot: Burger.560.CF (exact)
- F-Secure: Burger
- Kaspersky: Virus.DOS.Burger.560.a5
- McAfee: OC/bur
- Sophos: Burger-560j
- Symantec: Burger.560.A
- Trend Micro: Burger
Sources
Ralf Burger. Computer Viruses: A High-Tech Disease, pp. 128-137. Data Becker, GmbH, Düsseldorf; Abacus Software, Grand Rapids: 1987-1989. ISBN: 1-55755-043-3
F-Secure Antivirus, F-Secure Virus Descriptions : Burger.