Virus Database

BAT.Batalia6

Description BAT.Batalia6

It is the harmless nonmemory resident polymorphic parasitic BAT virus. It searches for BAT files in the current directory, then infects them. While infecting a file the virus runs the ARJ archiver to pack the necessary files. If there are no ARJ.EXE file in PATH, the virus fails to replicate itself.
The infected batch file contains two parts of code and data. The first part (the header) contains five DOS commands, the second part (the rest) contains a random named BAT file that is compressed by using the ARJ archiver and a password. Thus the infected file contains the text strings (DOS commands) and the binary data (ARJ archive).
That BAT file also contains two parts: the main virus code (batch commands) and the compressed data. The compressed data contains several files: the host file, the virus data and code files. The infected files look as ARJ archive within ARJ archive:
+--------------------+
ƒBAT instructions ƒ - Header 1, startup virus code
ƒ--------------------ƒ
ƒ ARJ archive: ƒ - Random named BAT file packed with ARJ
ƒ +----------------+ ƒ
ƒ ƒBAT instructionsƒ ƒ - Header 2, main virus code
ƒ ƒ----------------ƒ ƒ
ƒ ƒ ARJ archive: ƒ ƒ - The set of files
ƒ ƒ +------------+ ƒ ƒ
ƒ ƒ ƒBATALIA6.BATƒ ƒ ƒ - Infection, polymorphic and random generator
ƒ ƒ ƒ ƒ ƒ ƒ routines
ƒ ƒ ƒhostfile.BATƒ ƒ ƒ - The original host file
ƒ ƒ ƒZAGL ƒ ƒ ƒ - Virus data file
ƒ ƒ ƒRULZ ƒ ƒ ƒ - Virus data file
ƒ ƒ ƒFINAL.BAT ƒ ƒ ƒ - Deletes the temporary files and subdirectory
ƒ ƒ +------------+ ƒ ƒ
ƒ +----------------+ ƒ
+--------------------+
Header 1 contains five commands that are selected from several variants and have different lengths, for example:
@echo off
rem arj e %0 %compec% -g5
C:COMMAND.COM nul /carj x %0 -g2
:nul arj x %0 -g7 C:COMMAND.COM
w HOST.BAT

@EcHo OfF
rem COMMAND.COM nul /carj x %0 -g1
%comspec% nul /c arj e HOST.BAT -g3
:echo C:COMMAND.COM nul /carj x %0
i HOST.BAT
The ARJ archive is encrypted with a random selected password, so the virus does not contain constant bytes, and as a result it is the first known polymorphic BAT virus.
When executed, the virus (header 1) runs ARJ archiver, extracts the second part (BAT file) and executes it. The code of the second part creates the temporary directory, extracts the files from the second archive to the temporary directory, then runs the searching, infecting and polymorphic routines, then executes the host file and deletes the temporary files and temporary directory.
The code of the virus contains the following text strings:
: Death Virii Crew & Stealth Group World Wide
: P R E S E N T S
: First Mutation Engine for BAT !
: Without ASM !
: [BATalia6] & FMEB (c) by Reminder

: // __ _
: +-------- /// ------+ ___ Magazine _ for VirMakers
: ƒ+++-++- // // -+-+++ƒ ___ ________________ _ ___________________ _ ________
: ƒ++ ƒ ƒ ///// ƒ ƒ ƒƒƒ __ ___ ___ ___ ___ ___ ___ ___ ƒ _ ___ _ ___ ___
: ƒ++ - + ///// ++- ++ƒ _ _ _ __ __ _ _ __ _ _ _ _ _ _ _ _ _
: +------ // // -------+ _ _ _ _ ___ ___ _ ___ ___ __ ___ _ ___ ____
: GROUP // // WORLDWIDE _ _________________ _______________________________
:
: Box 10, Kiev 252148
: Box 15, Moscow 125080
: Box 11, Lutsk 263020
:
: R E A D I N F E C T E D V O I C E
:
: (c) by Reminder (May 22, 1996)

Check other viruses! Be aware! Use Antiviral Software

SE.1853

Description SE.1853

It is not a dangerous memory resident parasitic virus. It hooks INT 21h, infects the C:COMMAND.COM file, stay memory resident and then writes itself to the end of COM and EXE files that are executed. The header of any infected file contains the ID-word "SE".
On February 3rd the virus sets the system date to February 4th, changes the font of 'd' letter and displays the message:
ญญ Esto es un virus llamado ESPA¥A !!
Por favor, descomprima el fichero que ha intentado cargar con el compresor
LHA de la siguiente manera: LHA E [nombre del fichero ejecutable cargado]
Y saldr un fichero llamado MESSFROM.SPA, lealo.
This is a virus called ESPAÑA !!
Please, uncompress the file you tried to load with the LHA compressor
at the following form: LHA E [the name of the executable file loaded]
And will appear a file called MESSFROM.SPA, read it.

The virus really contains the MESSFROM.SPA file that is packed with by LHA archiver, and the MESSFROM.SPA file contains the text:
Hello world!
You have a virus called ESPAÑA,the virus was made in this wonderful
country, in Madrid.Perhaps you don't know this city,but it's the best city
around the world,and the best country is Spain,so you must visit it.
I hate E.T.A,they are a FUCKERMOTHER.
You can find me calling to CHIBA CITY BBS tlf. +34 1 XXX-XX-XX
My alias is Thorndike,I'm sixteen and I live near Vallecas.
Bye and see you soon.
Your hard disk's boot sector has been modified,the next time you can't to
acces it,but you can use the DISKFIX tool from PCTOOLS.
So you will restore your hard disk's boot sector.Thanks,and snd snd snd
snd snd snd snd snd snd snd snd snd snd snd snd snd

Sea

Description Sea

It's a harmless memory resident boot stealth virus. It copies itself into the Interrupt Vectors Table, hooks INT 13h and writes itself into MBR of hard drive and boot sectors of floppy disks. It contains the internal text string:
SEA.Moscow.5-29-1992.I think, it is a smallest stealth virus.It occupies
memory 002D3-00339.It workes with 1.2M diskette as good as with 360K.It is
harmless and do nothing(if you don't use BASIC).You can remove it with
overwriting (even in ill computer).Good bye!

Home