Batch File Viruses

Batch files can be used to transmit binary executable code and either be or drop viruses.

While not often found, it is possible to write a batch file that contains a virus. In most cases the batch file is used to drop a memory or disk virus which then takes over when the computer is next started. These don't always work, but it is interesting to briefly go over the design so you can possibly recognize this type of virus if you happen to see one.

One batch file virus takes the following form:

@ECHO OFF
:s%r#
COPY %0.BAT C:\Q.COM>NUL
C:\Q
[ binary data ]

The first line causes batch file commands to not echo to the screen so you won't see what's going on. The second line is a label as far as the batch file is concerned. In reality, this label is what makes the whole thing work. The third line copies the batch file itself to an executable file named Q.COM in the root directory of the C: drive. The output of the COPY command is directed to the NUL device so you see nothing on the screen that indicates this copy took place. Finally, the fourth line executes the newly 
created Q.COM file.

On the surface you would think that trying to rename a .BAT file to .COM and execute it would result in nothing but errors. Normally, that is the case but the label changes all that. The text up to the label converts to instructions the CPU can execute, but they do nothing. When the label is "executed" this changes. The CPU interprets the label as follows:

JNC Install ; 's%'
JC Install ; 'r#'

These instructions cause the CPU to look ahead into the binary instructions in the batch file. These binary instructions are the real virus (or virus dropper).

There are several batch file viruses, but each works in a manner similar to that described above. The labels and batch file instructions may differ; but the method of operation is similar.

Use the characteristics of the virus described above to look for batch file viruses. If there are obscure labels (lines starting with a colon) at the start of a batch file, use caution. Most batch file labels are fairly straighforward words or names. Secondly, if you see a batch file that is several thousand bytes long yet when you use the DOS command TYPE to display it to the screen you only see a few lines, that is another tipoff. Most batch file viruses insert an end-of-file mark (Control-Z) between the batch file portion and the binary instruction portion.

Batch file viruses are not common; but like with all things new on your system, take care.

Summary

Batch files can be used to transmit binary executable code and either be or drop viruses.

To detect these viruses look for two signs: 
An odd label at the start of the batch file
A batch file that is too long for the text in it.