Virus Database

BAT.Batalia6

Description BAT.Batalia6

It is a harmless nonmemory resident polymorphic parasitic BAT virus. It searches for BAT files in the current directory, then infects them. While infecting a file the virus runs the ARJ archiver to pack the necessary files. If there are no ARJ.EXE file in PATH, the virus fails to replicate itself.
The infected contains two parts of code and data. The first part (the header) contains five DOS commands, the second part (the rest) contains a random named BAT file that is compressed by using the ARJ archiver and a password. So, the infected file contains the text strings (DOS commands) and the binary data (ARJ archive).
That BAT file also contains two parts: the main virus code (batch commands) and the compressed data. The compressed data contains several files: the host file, the virus data and code files. The infected files look as ARJ archive within ARJ archive:
Infected BAT file:
+--------------------+
¦BAT instructions ¦ - Header1, startup virus code
¦--------------------¦
¦ ARJ archive: ¦ - Random named BAT file packed with ARJ
¦ +----------------+ ¦
¦ ¦BAT instructions¦ ¦ - Header2, main virus code
¦ ¦----------------¦ ¦
¦ ¦ ARJ archive: ¦ ¦ - The set of files
¦ ¦ +------------+ ¦ ¦
¦ ¦ ¦BATALIA6.BAT¦ ¦ ¦ - Infection, polymorphic and random generator
¦ ¦ ¦ ¦ ¦ ¦ routines
¦ ¦ ¦hostfile.BAT¦ ¦ ¦ - The original host file
¦ ¦ ¦ZAGL ¦ ¦ ¦ - Virus data file
¦ ¦ ¦RULZ ¦ ¦ ¦ - Virus data file
¦ ¦ ¦FINAL.BAT ¦ ¦ ¦ - Deletes the temporary files and subdirectory
¦ ¦ +------------+ ¦ ¦
¦ +----------------+ ¦
+--------------------+

Header1 contains five commands that are selected from several variants and have different lengths, for example:
@echo off @EcHo OfF
rem arj e %0 %compec% -g5 rem COMMAND.COM nul /carj x %0 -g1
C:COMMAND.COM nul /carj x %0 -g2 %comspec% nul /c arj e HOST.BAT -g3
:nul arj x %0 -g7 C:COMMAND.COM :echo C:COMMAND.COM nul /carj x %0
w HOST.BAT i HOST.BAT

The ARJ archive is encrypted with a random selected password, so the virus does not contain constant bytes, and as a result it is the first known polymorphic BAT virus.
When executed, the virus (header1) runs ARJ archiver, extracts the second part (BAT file) and executes it. The code of second part creates the temporary directory, extracts the files from the second archive to the temporary directory, then runs the searching, infecting and polymorphic routines, then executed the host file and deletes the temporary files and temporary directory.
The code of the virus contains only the text strings. There are the comments:
: Death Virii Crew & Stealth Group World Wide
: P R E S E N T S
: First Mutation Engine for BAT !
: Without ASM !
: [BATalia6] & FMEB (c) by Reminder
: // __ _
: +-------- /// ------+ ___ Magazine _ for VirMakers
: ¦+++-++- // // -+-+++¦ ___ ________________ _ ___________________ _ ________
: ¦++ ¦ ¦ ///// ¦ ¦ ¦¦¦ __ ___ ___ ___ ___ ___ ___ ___ ¦ _ ___ _ ___ ___
: ¦++ - + ///// ++- ++¦ _ _ _ __ __ _ _ __ _ _ _ _ _ _ _ _ _
: +------ // // -------+ _ _ _ _ ___ ___ _ ___ ___ __ ___ _ ___ ____
: GROUP // // WORLDWIDE _ _________________ _______________________________
:
: Box 10, Kiev 252148
: Box 15, Moscow 125080
: Box 11, Lutsk 263020
:
: R E A D I N F E C T E D V O I C E
:
: (c) by Reminder (May 22, 1996)

Check other viruses! Be aware! Use Antiviral Software

Taz Family

Description Taz Family

These are dangerous memory resident parasitic encrypted viruses. They hook INT 1Ch, 21h and write themselves to the end of .COM files that are accessed. While infecting a file they check the file name and delete some anti-virus programs. "Taz.995" beeps on any INT 1Ch call. "Taz.1041" displays the message on execution of some anti-virus programs. The viruses contain the text strings:
"Taz.987,995":
[TAZ-10] By The WÉÆ
(C) Sector Infector 1993
___ TÆZ-10 ___
Released 12-06-93
Yes, it is a Firefly Hack!
I Miss Ya, Taz!

"Taz.1041":
[TAZ-10] By The WÉÆ
(C) Sector Infector 1993
Released 12-06-93
Yes, it is a Firefly Hack!
Time to FUCK it UP!
FUCKIN IT
uhhhall..
huh huh

Tazman.706

Description Tazman.706

It is not a dangerous memory resident stealth parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed or on modifying file attributes. Being executed from 9:00am till 10:00am the virus displays the message and returns control back to DOS instead of host file. The virus message is:
Greetings to .Xtz.Dr-drain. [..By ThE ..TaZMaN..]
[Holland DEAD squad]

Home