Batch files can be used to transmit binary executable code and either be a virus or drop viruses.
One batch file virus takes the following form (it’s possible when this page displays you will receive a virus warning if you are running anti-virus software; don’t worry, it’s just triggering off the partial text below which has the virus code removed):
@ECHO OFF
:[ a label of specific form I won't mention ]
COPY %0.BAT C:\Q.COM>NUL
C:\Q
[ binary data ]
The first line causes batch file commands to not display on the screen so you won’t see what’s going on. The second line is a label as far as the batch file is concerned. In reality, this label is what makes the whole thing work so, of course, we’re not going to show any examples. The third line copies the batch file itself to an executable file named Q.COM in the root directory of the C: drive. The output of the COPY command is directed to the NUL device so you see nothing on the screen that indicates this copy took place. Finally, the fourth line executes the newly created Q.COM file.
On the surface you would think that trying to rename a .BAT file to .COM and execute it would result in nothing but errors. Normally, that is the case but the label changes all that. The text up to the label converts to instructions the CPU can execute, but they do nothing. When the label is “executed” this changes. The CPU interprets the label as instructions that cause the CPU to look ahead to the binary instructions in the batch file. These binary instructions are the real virus (or virus dropper).
There are several batch file viruses, but each works in a manner similar to that described above. The labels and batch file instructions may differ; but the method of operation is similar.
Use the characteristics of the virus described above to look for batch file viruses. If there are obscure labels (lines starting with a colon) at the start of a batch file, use caution. Most batch file labels are fairly straightforward words or names. Secondly, if you see a batch file that is several thousand bytes long yet when you use the DOS command TYPE to display it to the screen you only see a few lines, that is another tip-off. Most batch file viruses insert an end-of-file mark (Control-Z) between the batch file portion and the binary instruction portion.
Batch file viruses are not common; but be aware they do exist and have been seen in the wild. Indeed, a new worm version surfaced in early June 2002: Cup. This beast is complicated and arrives attached to an E-mail. If executed, Cup creates, executes, and sometimes deletes the files WORLDCUP_SCORE.VBS, EYEBALL.REG, JAPAN.VBS, ENGLAND.VBS, IRELAND.VBS, URAGUAY.VBS and ARGENTINA.BAT. The first file mass mails a file called WORLDCUP.BAT to your Outlook address book. The .REG file assures the worm is run at system start by changing the Windows registry. The worm has other payloads in the various .VBS files. So, you see that batch file viruses/worms can be fairly complicated.
Summary
- Batch files can be used to transmit binary executable code and either be or drop viruses.
- To detect these viruses look for two signs:
- An odd label at the start of the batch file
- A batch file that is too large for the text in it.
What Viruses Infect | |
Directories (Cluster) Viruses | Source Code |
Comments from original post:
charan raj
Said this on 2009-06-17 At 07:23 am
please send me some batch files viruses and hacking techniq.
#2
DaBoss
Said this on 2009-06-17 At 04:39 pm
In reply to #1
In the past these sorts of requests have come in via E-mail and I generally just deleted them without any comment or reply. I’ll do that with future comments of the same sort but just wanted to leave this one here to say that and show people that there are still people out there who don’t have a clue…and, in the case of these people that’s probably for the best. Sighhhhh….
#3
ayush rawat
Said this on 2010-02-05 At 02:42 am
hi,sir
please send me some batch files viruses and hacking techniq.
iam making a project on virus so i want to knw can i make a virus or antivirus
please tell me iam hoping a positive responce from you….. [In a word: NO –DaBoss]
#4
Edward
Said this on 2010-05-18 At 02:58 pm
Interesting article (randomly came across it whilst looking for workarounds to ‘goto “some nonexistant label”‘…yes I am new to batch.
I still haven’t fully understood why .com ignores the label colon. I would have thought that since : on its own is not a command, the parser would throw an error immediately, though I suppose a pipe then if errorlevel etc might allow you to carry on.
Anyway, just posting to say I find the above two ‘requests’ for building an antivirus extremely amusing. Like you said, fortunately they seem not to have a clue.
~cheers,