Details
BAT.Batalia6

It is a harmless nonmemory resident polymorphic parasitic BAT virus. It searches for BAT files in the current directory, then infects them. While infecting a file the virus runs the ARJ archiver to pack the necessary files. If there are no ARJ.EXE file in PATH, the virus fails to replicate itself.
The infected contains two parts of code and data. The first part (the header) contains five DOS commands, the second part (the rest) contains a random named BAT file that is compressed by using the ARJ archiver and a password. So, the infected file contains the text strings (DOS commands) and the binary data (ARJ archive).
That BAT file also contains two parts: the main virus code (batch commands) and the compressed data. The compressed data contains several files: the host file, the virus data and code files. The infected files look as ARJ archive within ARJ archive:
Infected BAT file:
+——————–+
¦BAT instructions ¦ - Header1, startup virus code
¦——————–¦
¦ ARJ archive: ¦ - Random named BAT file packed with ARJ
¦ +—————-+ ¦
¦ ¦BAT instructions¦ ¦ - Header2, main virus code
¦ ¦—————-¦ ¦
¦ ¦ ARJ archive: ¦ ¦ - The set of files
¦ ¦ +————+ ¦ ¦
¦ ¦ ¦BATALIA6.BAT¦ ¦ ¦ - Infection, polymorphic and random generator
¦ ¦ ¦ ¦ ¦ ¦ routines
¦ ¦ ¦hostfile.BAT¦ ¦ ¦ - The original host file
¦ ¦ ¦ZAGL ¦ ¦ ¦ - Virus data file
¦ ¦ ¦RULZ ¦ ¦ ¦ - Virus data file
¦ ¦ ¦FINAL.BAT ¦ ¦ ¦ - Deletes the temporary files and subdirectory
¦ ¦ +————+ ¦ ¦
¦ +—————-+ ¦
+——————–+

Header1 contains five commands that are selected from several variants and have different lengths, for example:
@echo off @EcHo OfF
rem arj e %0 %compec% -g5 rem COMMAND.COM nul /carj x %0 -g1
C:\COMMAND.COM nul /carj x %0 -g2 %comspec% nul /c arj e HOST.BAT -g3
:nul arj x %0 -g7 C:\COMMAND.COM :echo C:\COMMAND.COM nul /carj x %0
w HOST.BAT i HOST.BAT

The ARJ archive is encrypted with a random selected password, so the virus does not contain constant bytes, and as a result it is the first known polymorphic BAT virus.
When executed, the virus (header1) runs ARJ archiver, extracts the second part (BAT file) and executes it. The code of second part creates the temporary directory, extracts the files from the second archive to the temporary directory, then runs the searching, infecting and polymorphic routines, then executed the host file and deletes the temporary files and temporary directory.
The code of the virus contains only the text strings. There are the comments:
: Death Virii Crew & Stealth Group World Wide
: P R E S E N T S
: First Mutation Engine for BAT !
: Without ASM !
: [BATalia6] & FMEB (c) by Reminder
: // __ _
: +——– /// ——+ ___ Magazine _ for VirMakers
: ¦+++-++- // // -+-+++¦ ___ ________________ _ ___________________ _ ________
: ¦++ ¦ ¦ ///// ¦ ¦ ¦¦¦ __ ___ ___ ___ ___ ___ ___ ___ ¦ _ ___ _ ___ ___
: ¦++ - + ///// ++- ++¦ _ _ _ __ __ _ _ __ _ _ _ _ _ _ _ _ _
: +—— // // ——-+ _ _ _ _ ___ ___ _ ___ ___ __ ___ _ ___ ____
: GROUP // // WORLDWIDE _ _________________ _______________________________
:
: Box 10, Kiev 252148
: Box 15, Moscow 125080
: Box 11, Lutsk 263020
:
: R E A D I N F E C T E D V O I C E
:
: (c) by Reminder (May 22, 1996)

Related Posts

This entry was posted on Saturday, July 15th, 2006 at 8:00 pm and is filed under Virus Threats.

Details
BAT.Batalia6

It is the harmless nonmemory resident polymorphic parasitic BAT virus. It searches for BAT files in the current directory, then infects them. While infecting a file the virus runs the ARJ archiver to pack the necessary files. If there are no ARJ.EXE file in PATH, the virus fails to replicate itself.
The infected batch file contains two parts of code and data. The first part (the header) contains five DOS commands, the second part (the rest) contains a random named BAT file that is compressed by using the ARJ archiver and a password. Thus the infected file contains the text strings (DOS commands) and the binary data (ARJ archive).
That BAT file also contains two parts: the main virus code (batch commands) and the compressed data. The compressed data contains several files: the host file, the virus data and code files. The infected files look as ARJ archive within ARJ archive:
+——————–+
?BAT instructions ? - Header 1, startup virus code
?——————–?
? ARJ archive: ? - Random named BAT file packed with ARJ
? +—————-+ ?
? ?BAT instructions? ? - Header 2, main virus code
? ?—————-? ?
? ? ARJ archive: ? ? - The set of files
? ? +————+ ? ?
? ? ?BATALIA6.BAT? ? ? - Infection, polymorphic and random generator
? ? ? ? ? ? routines
? ? ?hostfile.BAT? ? ? - The original host file
? ? ?ZAGL ? ? ? - Virus data file
? ? ?RULZ ? ? ? - Virus data file
? ? ?FINAL.BAT ? ? ? - Deletes the temporary files and subdirectory
? ? +————+ ? ?
? +—————-+ ?
+——————–+
Header 1 contains five commands that are selected from several variants and have different lengths, for example:
@echo off
rem arj e %0 %compec% -g5
C:\COMMAND.COM nul /carj x %0 -g2
:nul arj x %0 -g7 C:\COMMAND.COM
w HOST.BAT

@EcHo OfF
rem COMMAND.COM nul /carj x %0 -g1
%comspec% nul /c arj e HOST.BAT -g3
:echo C:\COMMAND.COM nul /carj x %0
i HOST.BAT
The ARJ archive is encrypted with a random selected password, so the virus does not contain constant bytes, and as a result it is the first known polymorphic BAT virus.
When executed, the virus (header 1) runs ARJ archiver, extracts the second part (BAT file) and executes it. The code of the second part creates the temporary directory, extracts the files from the second archive to the temporary directory, then runs the searching, infecting and polymorphic routines, then executes the host file and deletes the temporary files and temporary directory.
The code of the virus contains the following text strings:
: Death Virii Crew & Stealth Group World Wide
: P R E S E N T S
: First Mutation Engine for BAT !
: Without ASM !
: [BATalia6] & FMEB (c) by Reminder

: // __ _
: +——– /// ——+ ___ Magazine _ for VirMakers
: ?+++-++- // // -+-+++? ___ ________________ _ ___________________ _ ________
: ?++ ? ? ///// ? ? ??? __ ___ ___ ___ ___ ___ ___ ___ ? _ ___ _ ___ ___
: ?++ - + ///// ++- ++? _ _ _ __ __ _ _ __ _ _ _ _ _ _ _ _ _
: +—— // // ——-+ _ _ _ _ ___ ___ _ ___ ___ __ ___ _ ___ ____
: GROUP // // WORLDWIDE _ _________________ _______________________________
:
: Box 10, Kiev 252148
: Box 15, Moscow 125080
: Box 11, Lutsk 263020
:
: R E A D I N F E C T E D V O I C E
:
: (c) by Reminder (May 22, 1996)

Related Posts

This entry was posted on Saturday, July 15th, 2006 at 6:00 pm and is filed under Virus Threats.

Details
BAT.Batalia4

This is the harmless non-memory resident parasitic BAT virus. It searches for BAT files in the current directory, then infectes them. While infecting a file the virus run the ARJ archiver to pack necessary files. If there is no ARJ.EXE file in PATH, the virus fails to replicate itself.
The virus contains two parts of code and data. The first part (the header) contains DOS commands:
@echo off
rem BAT4
arj x %0 >nul
call i
del sg
del i.bat
The second part (the rest) is an ARJ archive. This archive contains the I.BAT file that is the main virus code and the additional file named SG. The SG file contains several additional batch commands.
Thus any infected file contains the text strings (DOS commands) and the binary data (ARJ archive).
When executed, the virus runs the ARJ archiver, extracts the I.BAT and runs it. This batch file then searches for not infected BAT files in the current directory and infects them.
While infecting, the BAT.Batalia4 virus appends its code to the end of files and does not modify the original file contents.

Related Posts

This entry was posted on Saturday, July 15th, 2006 at 4:00 pm and is filed under Virus Threats.

Details
BAT.Batalia3

This is the harmless non-memory resident parasitic BAT virus. It searches for BAT files in the current directory, then infectes them. While infecting a file the virus run the ARJ archiver to pack necessary files. If there is no ARJ.EXE file in PATH, the virus fails to replicate itself.
The virus contains two parts of code and data. The first part (the header) contains DOS commands:
@echo off
rem YYY
arj x %0 -g”"bÑpß >nul
ren p Int
call i
ren Int a.bat
echo on
@call a
@echo off
del i.bat
del a.bat
del BATalia3
The second part (the rest) is an ARJ archive. This archive contains the I.BAT file that is the main virus code and the additional files:
P, BATALIA3
The BATALIA3 file contains several additional batch commands. The P file contains original code of an infected BAT file.
Thus any infected file contains the text strings (DOS commands) and the binary data (ARJ archive).
When executed, the virus runs the ARJ archiver, extracts the I.BAT and runs it. This batch file then searches for not infected BAT files in the current directory and infects them.
While infecting, the virus saves an original BAT file to ARJ archive (file P) and overwrites it. As a result the length of a file infected by BAT.Batalia3 may be less than before infection.

Related Posts

This entry was posted on Saturday, July 15th, 2006 at 2:00 pm and is filed under Virus Threats.

Details
BAT.Batalia2

This is the harmless non-memory resident BAT infector. It searchs for BAT files in the current directory, then writes itself to the end of the file. While infecting it creates temporary files and write necessary data to them.
The virus contains the following text:
BATalia2

Related Posts

This entry was posted on Saturday, July 15th, 2006 at 12:00 pm and is filed under Virus Threats.