Batch File Viruses

While not often found, it is possible to write a batch file that contains a virus. In most cases the batch file is used to drop a memory or disk virus which then takes over when the computer is next started. These don't always work, but it is interesting to briefly go over the design so you can possibly recognize this type of virus if you happen to see one.

One batch file virus takes the following form (it's possible when this page displays you will receive a virus warning if you are running anti-virus software; don't worry, it's just triggering off the partial text below which has the virus code removed):

@ECHO OFF
:[ a label of specific form I won't mention ]
COPY %0.BAT C:\Q.COM>NUL
C:\Q
[ binary data ]

The first line causes batch file commands to not display on the screen so you won't see what's going on. The second line is a label as far as the batch file is concerned. In reality, this label is what makes the whole thing work so, of course, we're not going to show any examples. The third line copies the batch file itself to an executable file named Q.COM in the root directory of the C: drive. The output of the COPY command is directed to the NUL device so you see nothing on the screen that indicates this copy took place. Finally, the fourth line executes the newly created Q.COM file.

On the surface you would think that trying to rename a .BAT file to .COM and execute it would result in nothing but errors. Normally, that is the case but the label changes all that. The text up to the label converts to instructions the CPU can execute, but they do nothing. When the label is "executed" this changes. The CPU interprets the label as instructions that cause the CPU to look ahead to the binary instructions in the batch file. These binary instructions are the real virus (or virus dropper).

There are several batch file viruses, but each works in a manner similar to that described above. The labels and batch file instructions may differ; but the method of operation is similar.

Use the characteristics of the virus described above to look for batch file viruses. If there are obscure labels (lines starting with a colon) at the start of a batch file, use caution. Most batch file labels are fairly straightforward words or names. Secondly, if you see a batch file that is several thousand bytes long yet when you use the DOS command TYPE to display it to the screen you only see a few lines, that is another tip-off. Most batch file viruses insert an end-of-file mark (Control-Z) between the batch file portion and the binary instruction portion.

Batch file viruses are not common; but be aware they do exist and have been seen in the wild. Indeed, a new worm version surfaced in early June 2002: Cup. This beast is complicated and arrives attached to an E-mail. If executed, Cup creates, executes, and sometimes deletes the files WORLDCUP_SCORE.VBS, EYEBALL.REG, JAPAN.VBS, ENGLAND.VBS, IRELAND.VBS, URAGUAY.VBS and ARGENTINA.BAT. The first file mass mails a file called WORLDCUP.BAT to your Outlook address book. The .REG file assures the worm is run at system start by changing the Windows registry. The worm has other payloads in the various .VBS files. So, you see that batch file viruses/worms can be fairly complicated.

Summary

• Batch files can be used to transmit binary executable code and either be or drop viruses.
• To detect these viruses look for two signs:
  • An odd label at the start of the batch file
  • A batch file that is too large for the text in it.