Class Virus
Platform BAT

Technical Details

This is the harmless non-memory resident parasitic BAT virus. It searches for BAT files in the current directory, then infectes them. While infecting a file the virus run the ARJ archiver to pack necessary files. If there is no ARJ.EXE file in PATH, the virus fails to replicate itself.

The virus contains two parts of code and data. The first part (the header) contains DOS commands:

@echo off
rem YYY
arj x %0 -g""b�p� >nul
ren p Int
call i
ren Int a.bat
echo on
@call a
@echo off
del i.bat
del a.bat
del BATalia3

The second part (the rest) is an ARJ archive. This archive contains the I.BAT file that is the main virus code and the additional files:


The BATALIA3 file contains several additional batch commands. The P file contains original code of an infected BAT file.

Thus any infected file contains the text strings (DOS commands) and the binary data (ARJ archive).

When executed, the virus runs the ARJ archiver, extracts the I.BAT and runs it. This batch file then searches for not infected BAT files in the current directory and infects them.

While infecting, the virus saves an original BAT file to ARJ archive (file P) and overwrites it. As a result the length of a file infected by BAT.Batalia3 may be less than before infection.

Find out the statistics of the threats spreading in your region