|
|
Bat.Naive.489 Viruses Information
| Name: |
Bat.Naive.489 |
| Category: |
Viruses |
| Description:
|
Details
Bat.Naive.4894
Bat.Naive.4894 is a not dangerous memory resident parasitic virus. It hooks INT 21h and writes itself at the beginning of .BAT-files. The infected file looks as follow (the strings between '[' and ']' are comments):
@rem NAIVE
@if exist naive.* goto naive
@if "%range_check%=="yes goto naive
@echo>naive.com [ binary data1 ]
@naive.com
@if not errorlevel 33 goto superwork
@del>nul naive.com
@goto naive
:superwork
@echo>naive.com [ binary data2 ]
@echo>naive.dat [ ASCII text ]
@echo>>naive.dat [ ASCII text ]
@echo>>naive.dat [ ASCII text ]
[ repeated all ]
@echo>>naive.dat
@naive.comnaive.exe
@del>nul naive.com
@del>nul naive.dat
@naive.exe>nul
@del>nul naive.exe
@set range_check=yes
:naive
[ original BAT-file ]
The "binary data1" contains the code of "Are you here?" call, the "binary data2" contains the ASCII-to-BIN decoder, the "ASCII text" contains the code of the virus converted to ASCII text.
During execution of such a file, the virus receives the control. It checks the ENVIRONMENT area for RANGE_CHECK=YES string and returns if it is set. Then the virus creates the NAIVE.COM file, writes "Are you here?" instructions into there, executes that file and checks the result ERRORLEVEL value.
The NAIVE.COM file contains the INT 21h call with AH=F6h only. If the memory resident virus copy already exist in the memory it returns 12345678h value in CX:DX registers, and NAIVE.COM exits with ERRORLEVEL=33. If there is no TSR virus copy, NAIVE.COM exits with ERRORLEVEL=32.
If the virus is already installed the commands of BAT file delete the NAIVE.COM file and pass the control to original text. In another case the virus creates two files: NAIVE.DAT and NAIVE.COM (the virus overwrites the previous NAIVE.COM file). The virus writes ASCII-to-BIN decoder into COM file, and ASCII data into DAT file. Then the virus executes the command
@naive.comnaive.exe
that creates the NAIVE.EXE file, reads the ASCII data from NAIVE.DAT file, decodes it to binary instructions, and writes into NAIVE.EXE file.
After that conversion the virus deletes NAIVE.COM and NAIVE.DAT files, and executes NAIVE.EXE file. That file installs the virus memory resident and returns to BAT file. The virus after installation deletes NAIVE.EXE file, defines the ENVIRONMENT string RANGE_CHECK=YES, and passes the control to original BAT-file commands.
The NAIVE.EXE file being executed performs the same "Are you here?" call as described above. In case of already installed TSR copy the virus returns with INT 20h call. If there is no TSR copy the virus checks its internal "generation" counter and tries to display the message in Russian, but fails because the virus never increases that counter, and fails twice because all messages are redirected to NUL device:
@naive.exe>nul
Then the virus hooks INT 21h with Get/SetVector DOS functions and leaves its TSR copy with Terminate and Stay Resident INT 27h call.
The INT 21h handler intercepts "Are you here?" AH=F6h function (the virus returns CX:DS=12345678h) and ChangeDir AH=3Bh function. On ChangeDir calls the virus searches for not infected .BAT-files, moves them down for 4894 bytes, and writes into their beginning the BAT instructions are listed above. Then the virus encodes itself into ASCII text, and writes that text into there. |
Top Viruses Visited Pages:
Invader. - 231 visits
not-a-virus:RiskWare.Tool.RegPatch. - 69 visits
Worm.P2P.Harex. - 63 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 55 visits
Small.58. - 55 visits
Coito.64 - 53 visits
I-Worm.Mapson. - 45 visits
Win32.Hidra - 41 visits
Win16.Klon.1177 - 40 visits
Marine.500 - 34 visits
Random Viruses Pages:
Alien.135
Inco
Andry.56
Sundevil.69
BlackFlash.81
VBS.Rabbit.
Gollum.66
Muhamor.460
DARV.102
Vdv.38
|
|
