home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Collection of Hack-Phreak Scene Programs
/
cleanhpvac.zip
/
cleanhpvac
/
BATCHCOL.ZIP
/
TOOLS.ZIP
/
BATALIA.ZIP
/
BATALIA.TXT
next >
Wrap
Text File
|
1996-12-12
|
4KB
|
90 lines
BAT.Batalia6
-----------------------------------------------------------------
It is a harmless nonmemory resident polymorphic parasitic BAT
virus. It searches for BAT files in the current directory, then
infects them. While infecting a file the virus runs the ARJ
archiver to pack the necessary files. If there are no ARJ.EXE
file in PATH, the virus fails to replicate itself.
The infected contains two parts of code and data. The first part
(the header) contains five DOS commands, the second part (the
rest) contains a random named BAT file that is compressed by
using the ARJ archiver and a password. So, the infected file
contains the text strings (DOS commands) and the binary data (ARJ
archive).
That BAT file also contains two parts: the main virus code (batch
commands) and the compressed data. The compressed data contains
several files: the host file, the virus data and code files. The
infected files look as ARJ archive within ARJ archive:
Infected BAT file:
+--------------------+
ªBAT instructions ª - Header1, startup virus code
ª--------------------ª
ª ARJ archive: ª - Random named BAT file packed with ARJ
ª +----------------+ ª
ª ªBAT instructionsª ª - Header2, main virus code
ª ª----------------ª ª
ª ª ARJ archive: ª ª - The set of files
ª ª +------------+ ª ª
ª ª ªBATALIA6.BATª ª ª - Infection, polymorphic and random generator
ª ª ª ª ª ª routines
ª ª ªhostfile.BATª ª ª - The original host file
ª ª ªZAGL ª ª ª - Virus data file
ª ª ªRULZ ª ª ª - Virus data file
ª ª ªFINAL.BAT ª ª ª - Deletes the temporary files and subdirectory
ª ª +------------+ ª ª
ª +----------------+ ª
+--------------------+
Header1 contains five commands that are selected from several
variants and have different lengths, for example:
@echo off @EcHo OfF
rem arj e %0 %compec% -g5 rem COMMAND.COM nul /carj x %0 -g1
C:\COMMAND.COM nul /carj x %0 -g2 %comspec% nul /c arj e HOST.BAT -g3
:nul arj x %0 -g7 C:\COMMAND.COM :echo C:\COMMAND.COM nul /carj x %0
w HOST.BAT i HOST.BAT
The ARJ archive is encrypted with a random selected password, so
the virus does not contain constant bytes, and as a result it is
the first known polymorphic BAT virus.
When executed, the virus (header1) runs ARJ archiver, extracts
the second part (BAT file) and executes it. The code of second
part creates the temporary directory, extracts the files from the
second archive to the temporary directory, then runs the
searching, infecting and polymorphic routines, then executed the
host file and deletes the temporary files and temporary
directory.
The code of the virus contains only the text strings. There are
the comments:
: Death Virii Crew & Stealth Group World Wide
: P R E S E N T S
: First Mutation Engine for BAT !
: Without ASM !
: [BATalia6] & FMEB (c) by Reminder
: // __ _
: +-------- /// ------+ ___ Magazine _ for VirMakers
: ª+++-++- // // -+-+++ª ___ ________________ _ ___________________ _ ________
: ª++ ª ª ///// ª ª ªªª __ ___ ___ ___ ___ ___ ___ ___ ª _ ___ _ ___ ___
: ª++ - + ///// ++- ++ª _ _ _ __ __ _ _ __ _ _ _ _ _ _ _ _ _
: +------ // // -------+ _ _ _ _ ___ ___ _ ___ ___ __ ___ _ ___ ____
: GROUP // // WORLDWIDE _ _________________ _______________________________
:
: Box 10, Kiev 252148
: Box 15, Moscow 125080
: Box 11, Lutsk 263020
:
: R E A D I N F E C T E D V O I C E
:
: (c) by Reminder (May 22, 1996)