Subscribe0 0
This is a polymorpic worm is written in Batch script with the extensions Windows 2000/XP (cmd.exe). The worm contains two parts: polymorphic generator and main body. The polymorphic generator reconstruces the main body on each start of batch file. The worm creates its droppers with the files: SPTH.BAT and C:\MIRC\SATURN.BAT. It also creates the script file C:\MIRC\SCRIPT.INI. The script sends worm dropper (SATURN.BAT) to each user who joins the infected channel. The worm also rewrites batch files into WINDOWS directory. The worm contains the comments:
----------- BatXP.Saturn ********** by Second Part To Hell -----------
|
I think, you are looking at the code and think: "What the hell is this?"|
The answer is: A Windows XP Batch polymorph virus :D |
WinXP is using a program named CMD.EXE instate of COMMAND.COM for DOS |
You're able to make the really nice things with CMD which you wasn't |
able to do it with COMMAND.COM. |
|
Information about the virus: |
Virusname......................: BatXP.Saturn |
Virusauthor....................: Second Part To Hell |
Size...........................: The poly-engine has 1.301 Bytes |
The whole virus has 4.158 Bytes |
Encrypted......................: Yes, but only the virus part. |
I'll crypt also the poly engine in |
next versions. |
Polymorphic....................: Yes |
|
written from 20.11.2002 to 22.11.2002 |
in Austria |
----------------------------------------------------------------------
Modifications
IRC-Worm.Spth.b
The worm's droppers are: SPISSTOM.BAT, C:\PROGRA~1\MIRC\MIRC.BAT
The script file name is: C:\PROGRA~1\MIRC\SCRIPT.INI
IRC-Worm.Spth.c
The worm's droppers are: SPISSTOM.BAT, C:\MIRC\INSTALL.BAT
The script file name is: C:\MIRC\SCRIPT.INI
IRC-Worm.Spth.d
The worm's droppers are: DRRA.BAT, C:\PROGRA~1\MIRC\SATURN.BAT
The script file name is: C:\PROGRA~1\MIRC\SCRIPT.INI
Hot Articles