ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º Batch File Viruses º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ Usually virus writers strive to make their viruses as complex as possible to prevent anti-virus programs from detecting them. Certain writers, however, try to push their creations to the utmost limits of simplicity. Some of them have wanted to create the smallest possible virus -- at the moment, the smallest virus consists of just 25 bytes -- while others have taken advantage of DOS's relatively simple batch language and written viruses infecting BAT files. BAT viruses do not usually pose a serious threat due to their simplicity. They are generally unable to spread quickly between computers, so infections that do happen are normally limited to small areas. Ralf Burger published the world's first known BAT virus in his book Das groáe Computerviren-Buch in 1987, calling it VR.BAT. VR.BAT did not, however, function purely on DOS batch language, for it used also machine-language code located in a separate file. Since the virus destroyed its victim, it generally did not take long for a user to smell something fishy. Batman ------ A few other simple BAT viruses have been found since Burger's VR.BAT. At the turn of the year, however, a batch file virus unlike any other BAT virus previously encountered, called Batman, was discovered. What made Batman stand apart from other BAT viruses was its ability to install itself into memory. This is possible, since the Batman virus contains binary-form machine language code inside the BAT listing. @ECHO OFF REM copy %0 b.com>nul b.com del b.com rem In other words, the virus first renames itself as B.COM, after which it executes this file as a normal COM program. This is made possible by the fact that the capital-letter @ECHO OFF and REM commands at the beginning of the file translate to machine language commands which have no bearing on the functioning of the virus whatsoever. Text Code ----------------------------------- @ INC AX E INC BP C INC BX H DEC AX O DEC DI OF AND [BX+46],CL F INC SI R OR AX,520A E INC BP M DEC BP The first part of the binary code includes a jump command to the end part of Batman's code. The end part contains the commands for installing the virus into memory. Since Batman does not check memory before installing itself, the virus reinstalls itself into memory every time an infected file is executed. Little by little, it eats away the available memory. The virus monitors write operations to files while it is active in memory. It checks the beginning of files every time they written to. If the file in question starts with the command @ECHO, the virus judges it to be a batch file and infects it. Since Batman makes no attempt to check whether it has already infected a file, the same file can be infected many times over. Moreover, if several copies of the virus have installed themselves into memory, every single one of them infects the batch files that are being written to. Case: The Batch Virus "BAT-Parasite" in Finland ----------------------------------------------- At the beginning of June, the F-PROT Support of Data Fellows Ltd. received a letter from Lahti, Finland, signed by a person using the pseudonym Pelimies (Player). A diskette containing a virus that spreads via BAT files was included in the letter. In the letter, the writer explained that the virus had infested his and his friends' computers for months, and that it had also infected the microcomputers of his school. Closer examination proved the virus to be wholly functional, if somewhat simple. It consists of BAT files, the joint length of which measures 1111 bytes. The virus conceals itself by hiding three of its four BAT files by using the DOS command ATTRIB. One of its files, CHECK.BAT, contains the following text in its beginning: Copyright (c) 1993 damage program laboratory, Finland Program PARASITE This version is harmless voyager The virus was duly named BAT-Parasite. The virus spreads via diskettes. A contaminated diskette contains one visible file, PELI.BAT (Peli is Finnish and means "game"), which, when executed, copies itself and the hidden virus files to the \DOS directory of the logical disk C. At the same time, BAT-Parasite renames the file FORMAT.COM, giving it the name F.COM. A compensating file called FORMAT.BAT has been included in the virus to prevent the user from noticing the switch. BAT-Parasite infects diskettes when they are formatted. When a user tries to run the FORMAT program, the viral FORMAT.BAT file first executes F.COM, using the command line switches the user has given. Having done that, the CHECK.BAT file copies the viral files to the diskette. All the diskettes formatted in a contaminated computer contain the visible file PELI.BAT and the three hidden viral files. The creator of BAT-Parasite has relied on an enticing name to have people execute the BAT file in their computers. When PELI.BAT is executed, the virus copies itself from the diskette to the hard disk and displays the message: ERROR, game not start after which it terminates its execution. The virus is unable to spread if a computer does not contain the directory C:\DOS. The functioning of BAT-Parasite is also hindered, but not completely blocked, by the lack of the programs ATTRIB and FORMAT. Even though BAT-Parasite is not a serious threat, it can spread quite unnoticed despite its simple structure. The virus can be removed by simply deleting the files PELI.BAT, RESIDENT.BAT, CHECK.BAT and FORMAT.BAT, and changing the name of F.COM back to FORMAT.COM.