Virus Database

Ball.691

Description Ball.691

It's a not dangerous memory resident parasitic virus. It hooks INT 21h and writes itself at the end of COM-files that are executed. Depending on its internal counters the virus hooks INT 1Ch also and manifests itself with a video effect.

Check other viruses! Be aware! Use Antiviral Software

BAT.Batalia6

Description BAT.Batalia6

It is a harmless nonmemory resident polymorphic parasitic BAT virus. It searches for BAT files in the current directory, then infects them. While infecting a file the virus runs the ARJ archiver to pack the necessary files. If there are no ARJ.EXE file in PATH, the virus fails to replicate itself.
The infected contains two parts of code and data. The first part (the header) contains five DOS commands, the second part (the rest) contains a random named BAT file that is compressed by using the ARJ archiver and a password. So, the infected file contains the text strings (DOS commands) and the binary data (ARJ archive).
That BAT file also contains two parts: the main virus code (batch commands) and the compressed data. The compressed data contains several files: the host file, the virus data and code files. The infected files look as ARJ archive within ARJ archive:
Infected BAT file:
+--------------------+
¦BAT instructions ¦ - Header1, startup virus code
¦--------------------¦
¦ ARJ archive: ¦ - Random named BAT file packed with ARJ
¦ +----------------+ ¦
¦ ¦BAT instructions¦ ¦ - Header2, main virus code
¦ ¦----------------¦ ¦
¦ ¦ ARJ archive: ¦ ¦ - The set of files
¦ ¦ +------------+ ¦ ¦
¦ ¦ ¦BATALIA6.BAT¦ ¦ ¦ - Infection, polymorphic and random generator
¦ ¦ ¦ ¦ ¦ ¦ routines
¦ ¦ ¦hostfile.BAT¦ ¦ ¦ - The original host file
¦ ¦ ¦ZAGL ¦ ¦ ¦ - Virus data file
¦ ¦ ¦RULZ ¦ ¦ ¦ - Virus data file
¦ ¦ ¦FINAL.BAT ¦ ¦ ¦ - Deletes the temporary files and subdirectory
¦ ¦ +------------+ ¦ ¦
¦ +----------------+ ¦
+--------------------+

Header1 contains five commands that are selected from several variants and have different lengths, for example:
@echo off @EcHo OfF
rem arj e %0 %compec% -g5 rem COMMAND.COM nul /carj x %0 -g1
C:COMMAND.COM nul /carj x %0 -g2 %comspec% nul /c arj e HOST.BAT -g3
:nul arj x %0 -g7 C:COMMAND.COM :echo C:COMMAND.COM nul /carj x %0
w HOST.BAT i HOST.BAT

The ARJ archive is encrypted with a random selected password, so the virus does not contain constant bytes, and as a result it is the first known polymorphic BAT virus.
When executed, the virus (header1) runs ARJ archiver, extracts the second part (BAT file) and executes it. The code of second part creates the temporary directory, extracts the files from the second archive to the temporary directory, then runs the searching, infecting and polymorphic routines, then executed the host file and deletes the temporary files and temporary directory.
The code of the virus contains only the text strings. There are the comments:
: Death Virii Crew & Stealth Group World Wide
: P R E S E N T S
: First Mutation Engine for BAT !
: Without ASM !
: [BATalia6] & FMEB (c) by Reminder
: // __ _
: +-------- /// ------+ ___ Magazine _ for VirMakers
: ¦+++-++- // // -+-+++¦ ___ ________________ _ ___________________ _ ________
: ¦++ ¦ ¦ ///// ¦ ¦ ¦¦¦ __ ___ ___ ___ ___ ___ ___ ___ ¦ _ ___ _ ___ ___
: ¦++ - + ///// ++- ++¦ _ _ _ __ __ _ _ __ _ _ _ _ _ _ _ _ _
: +------ // // -------+ _ _ _ _ ___ ___ _ ___ ___ __ ___ _ ___ ____
: GROUP // // WORLDWIDE _ _________________ _______________________________
:
: Box 10, Kiev 252148
: Box 15, Moscow 125080
: Box 11, Lutsk 263020
:
: R E A D I N F E C T E D V O I C E
:
: (c) by Reminder (May 22, 1996)

BAT.Batman.a

Description BAT.Batman.a

This is a memory resident parasitic BAT-file infector. It's easier to show the text of the virus than to say something about its algorithm. The virus text is very simple:
@ECHO OFF
REM <<< code: jmp installation, int_21 handler part 1 >>>
copy %0 b.com>nul
b.com
del b.com
rem <<< code: TSR installation, int_21 handler part 2 >>>

Note: the brackets <<< >>> mean that here is the non-text bytes of the virus.
The main feature of this virus consist in its double-facing. The virus body is executed in two formats: it's executed as batch file if the infected file has BAT extension, or as COM file it the file has COM extension.
On running this virus from BAT file it copies itself (i.e. host file) into the new temporary file B.COM by using the DOS command
copy %0 b.com

The %0 parameter substitutes by the name of the batch file as it typed at the command prompt. This way the virus creates the copy of infected BAT-file with COM extension. Then this virus executes that file by next line of BAT file and then deletes it from disk. The binary code and data of the virus are remarked my REM command and do not influence on BAT virus flow.
The B.COM file is executed as a standard COM file. By this the text strings of the file beginning
@ECHO OFF
REM

are interpreted as 'dummy' i8086 instruction like these:
INC register
DEC register
OR register, immediate
AND register, register

These instructions do not influence on COM program execution (as the remarked binary code do not used by BAT variant of this virus). After execution of the last text bytes (REM instruction of the second line of BAT virus) the virus activation code starts to work.
The algorithm of virus installation is very primitive, it's occupies ten assembler instruction only. The virus hooks INT 21h by using standard DOS functions GETVECT and SETVECT (AX=3521h, 2521h) and then stays memory resident by using INT 27h. The virus do not checks the memory for the presence of the TSR part of previous execution. So the virus will present in memory so many times as the infected BAT-files are executed.
The virus intercepts one DOS function only, it's WRITE HANDLE function (INT 21h, AH=40H). The virus checks the beginning of write buffer for the '@echo' string and if that string is present the virus write itself body before saving that buffer. A lot of BAT-file contains that string at their beginnings so they will be infected upon creating, copying or modifying.
So the virus write itself into the BAT-file beginning. The infected files at first create the B.COM file, run and delete it and then they are continued as they are not infected.

Home