Usually virus writers strive to make their viruses as complex as possible to prevent anti-virus programs from detecting them. Certain writers, however, try to push their creations to the utmost limits of simplicity. Some of them have wanted to create the smallest possible virus -- at the moment, the smallest virus consists of just 25 bytes -- while others have taken advantage of DOS's relatively simple batch language and written viruses infecting BAT files.
BAT viruses do not usually pose a serious threat due to their simplicity. They are generally unable to spread quickly between computers, so infections that do happen are normally limited to small areas.
Ralf Burger published the world's first known BAT virus in his book Das grosse Computerviren-Buch in 1987, calling it VR.BAT. VR.BAT did not, however, function purely on DOS batch language, for it used also machine-language code located in a separate file. Since the virus destroyed its victim, it generally did not take long for a user to smell something fishy.
A few other simple BAT viruses have been found since Burger's VR.BAT. At the turn of the year, however, a batch file virus unlike any other BAT virus previously encountered, called Batman, was discovered. What made Batman stand apart from other BAT viruses was its ability to install itself into memory. This is possible, since the Batman virus contains binary-form machine language code inside the BAT listing.
@ECHO OFF
REM <binary code>
copy %0 b.com>nul
b.com
del b.com
rem <binary code>
@ECHO OFF
REM <binary code>
copy %0 b.com>nul
b.com
del b.com
rem <binary code>
In other words, the virus first renames itself as B.COM, after which it executes this file as a normal COM program. This is made possible by the fact that the capital-letter @ECHO OFF and REM commands at the beginning of the file translate to machine language commands which have no bearing on the functioning of the virus whatsoever.
Text Code
-----------------------------------
@ INC AX
E INC BP
C INC BX
H DEC AX
O DEC DI
<space>OF AND [BX+46],CL
F INC SI
<enter><text line>R OR AX,520A
E INC BP
M DEC BP
The first part of the binary code includes a jump command to the end part of Batman's code. The end part contains the commands for installing the virus into memory. Since Batman does not check memory before installing itself, the virus reinstalls itself into memory every time an infected file is executed. Little by little, it eats away the available memory.
The virus monitors write operations to files while it is active in memory. It checks the beginning of files every time they written to. If the file in question starts with the command @ECHO, the virus judges it to be a batch file and infects it. Since Batman makes no attempt to check whether it has already infected a file, the same file can be infected many times over. Moreover, if several copies of the virus have installed themselves into memory, every single one of them infects the batch files that are being written to.
At the beginning of June, the F-PROT Support of Data Fellows Ltd. received a letter from Lahti, Finland, signed by a person using the pseudonym Pelimies (Player). A diskette containing a virus that spreads via BAT files was included in the letter. In the letter, the writer explained that the virus had infested his and his friends' computers for months, and that it had also infected the microcomputers of his school.
Closer examination proved the virus to be wholly functional, if somewhat simple. It consists of BAT files, the joint length of which measures 1111 bytes. The virus conceals itself by hiding three of its four BAT files by using the DOS command ATTRIB. One of its files, CHECK.BAT, contains the following text in its beginning:
Copyright (c) 1993 damage program laboratory, Finland
Program PARASITE
This version is harmless voyager
6月初,F-PROT Support of Data Fellows Ltd.公司收到了一封来自芬兰Lahti的信。当然,信上的签名是用的假名Pelimies(Player)。在信中,有一张软盘,软盘里有一个经由BAT文件传播的病毒。在信中,作者解释说,这种病毒已经感染了他的和他的朋友的电脑数月,而且还把学校的电脑感染了.
较近的检测证明病毒具备完整的功能,尽管看起来有点简单。它由BAT文件组成,总长只有1111B。病毒通过DOS命令ATTRIB隐藏了它的四个文件中的3个BAT文件,这样它就能伪装自己了。文件中的一个---CHECK.BAT,它的开头是这样写的:
Copyright (c) 1993 damage program laboratory, Finland
Program PARASITE
This version is harmless voyager
这个病毒的名称是BAT-Parasite(寄生虫)
The virus was duly named BAT-Parasite.
The virus spreads via diskettes. A contaminated diskette contains one visible file, PELI.BAT (Peli is Finnish and means "game"), which, when executed, copies itself and the hidden virus files to the \DOS directory of the logical disk C. At the same time, BAT-Parasite renames the file FORMAT.COM, giving it the name F.COM. A compensating file called FORMAT.BAT has been included in the virus to prevent the user from noticing the switch.
BAT-Parasite infects diskettes when they are formatted. When a user tries to run the FORMAT program, the viral FORMAT.BAT file first executes F.COM, using the command line switches the user has given. Having done that, the CHECK.BAT file copies the viral files to the diskette.
All the diskettes formatted in a contaminated computer contain the visible file PELI.BAT and the three hidden viral files. The creator of BAT-Parasite has relied on an enticing name to have people execute the BAT file in their computers. When PELI.BAT is executed, the virus copies itself from the diskette to the hard disk and displays the message:
The virus is unable to spread if a computer does not contain the directory C:\DOS. The functioning of BAT-Parasite is also hindered, but not completely blocked, by the lack of the programs ATTRIB and FORMAT.
Even though BAT-Parasite is not a serious threat, it can spread quite unnoticed despite its simple structure. The virus can be removed by simply deleting the files PELI.BAT, RESIDENT.BAT, CHECK.BAT and FORMAT.BAT, and changing the name of F.COM back to FORMAT.COM.
