Kaspersky Threats

Class

Platform

Description

Technical Details

This is the harmless non-memory resident parasitic BAT virus. It searches for BAT files in the current directory, then infectes them. While infecting a file the virus run the ARJ archiver to pack necessary files. If there is no ARJ.EXE file in PATH, the virus fails to replicate itself.

The virus contains two parts of code and data. The first part (the header) contains DOS commands:

@echo off
rem YYY
arj x %0 -g""b�p� >nul
ren p Int
call i
ren Int a.bat
echo on
@call a
@echo off
del i.bat
del a.bat
del BATalia3

The second part (the rest) is an ARJ archive. This archive contains the I.BAT file that is the main virus code and the additional files:

P, BATALIA3

The BATALIA3 file contains several additional batch commands. The P file contains original code of an infected BAT file.

Thus any infected file contains the text strings (DOS commands) and the binary data (ARJ archive).

When executed, the virus runs the ARJ archiver, extracts the I.BAT and runs it. This batch file then searches for not infected BAT files in the current directory and infects them.

While infecting, the virus saves an original BAT file to ARJ archive (file P) and overwrites it. As a result the length of a file infected by BAT.Batalia3 may be less than before infection.

Class	Virus
Platform	BAT
Description	Technical Details This is the harmless non-memory resident parasitic BAT virus. It searches for BAT files in the current directory, then infectes them. While infecting a file the virus run the ARJ archiver to pack necessary files. If there is no ARJ.EXE file in PATH, the virus fails to replicate itself. The virus contains two parts of code and data. The first part (the header) contains DOS commands: @echo off rem YYY arj x %0 -g""b�p� >nul ren p Int call i ren Int a.bat echo on @call a @echo off del i.bat del a.bat del BATalia3 The second part (the rest) is an ARJ archive. This archive contains the I.BAT file that is the main virus code and the additional files: P, BATALIA3 The BATALIA3 file contains several additional batch commands. The P file contains original code of an infected BAT file. Thus any infected file contains the text strings (DOS commands) and the binary data (ARJ archive). When executed, the virus runs the ARJ archiver, extracts the I.BAT and runs it. This batch file then searches for not infected BAT files in the current directory and infects them. While infecting, the virus saves an original BAT file to ARJ archive (file P) and overwrites it. As a result the length of a file infected by BAT.Batalia3 may be less than before infection.

Virus.BAT.Batalia3

Technical Details