Kaspersky Threats

Class

Platform

Description

Technical Details

It is a dangerous nonmemory resident parasitic BAT virus. It searches for
.BAT files in the current and parent directories, then writes itself to the
end of the file. The virus uses an infecting way similar to parasitic COM
infectors – it writes its code to the end of the file and inserts
GoTo_Virus command to the file header:



+—————+

�@echo off      � Jmp-to-virus commands

+——�goto HotToTrot3�

�+—->�:To            �

��     +—————� Original BAT file commands

��     �…            �

��     �…            �

��     �…            �

��     +—————�

��+—-�goto Trot3     � Jump to return-to-DOS command

���    +—————�

+—–>�:HotToTrot3    � Main virus code

��    �…            �

��    �…            �

+—–�goto To        � Return to host program

+—>�Trot3:         � Return to DOS

+—————+

While infecting a file the virus accesses DOS functions (INT 21h). To do
that it creates and runs two temporary COM files – saves their hexadecimal
dump to disk and converts it to binary file by using DEBUG (if there are no
DEBUG in PATH, the virus may corrupt the files while infecting them).

Class	Virus
Platform	BAT
Description	Technical Details It is a dangerous nonmemory resident parasitic BAT virus. It searches for .BAT files in the current and parent directories, then writes itself to the end of the file. The virus uses an infecting way similar to parasitic COM infectors – it writes its code to the end of the file and inserts GoTo_Virus command to the file header: +—————+ �@echo off � Jmp-to-virus commands +——�goto HotToTrot3� �+—->�:To � �� +—————� Original BAT file commands �� … � �� … � �� … � �� +—————� ��+—-�goto Trot3 � Jump to return-to-DOS command �� +—————� +—–>�:HotToTrot3 � Main virus code �� … � �� … � +—–�goto To � Return to host program +—>�Trot3: � Return to DOS +—————+ While infecting a file the virus accesses DOS functions (INT 21h). To do that it creates and runs two temporary COM files – saves their hexadecimal dump to disk and converts it to binary file by using DEBUG (if there are no DEBUG in PATH, the virus may corrupt the files while infecting them).

Virus.BAT.Hot2Trot

Technical Details