Class Virus
Platform BAT

Technical Details

This is the harmless non-memory resident parasitic BAT virus. It searches for BAT files in the current directory, then infectes them. While infecting a file the virus run the ARJ archiver to pack necessary files. If there is no ARJ.EXE file in PATH, the virus fails to replicate itself.

The virus contains two parts of code and data. The first part (the header) contains DOS commands:

@echo off
rem BAT4
arj x %0 >nul
call i
del sg
del i.bat

The second part (the rest) is an ARJ archive. This archive contains the I.BAT file that is the main virus code and the additional file named SG. The SG file contains several additional batch commands.

Thus any infected file contains the text strings (DOS commands) and the binary data (ARJ archive).

When executed, the virus runs the ARJ archiver, extracts the I.BAT and runs it. This batch file then searches for not infected BAT files in the current directory and infects them.

While infecting, the BAT.Batalia4 virus appends its code to the end of files and does not modify the original file contents.