W32/Batzback.A

description-logoAnalysis

  • Virus is 32bit with a compressed size of 25,088 bytes
  • If virus is run, it may shut down AOL Instant Messenger chat clients
  • Virus may write itself to the local system in several places in an effort to maximize its potential spread through mIRC, AOL Instant Messenger and Kazaa –
    aim95\buddyshare.exe
    Kazaa\My Shared Folder\EminEmSpearsBritney.Scr
    (Windows)\BatzBack.scr
    (Windows\System)\BatzBack.scr
  • Virus creates a Batch script file into the C:\Windows folder named “BatzBack.bat“ and executes it – this Batch script contains obfuscated variable assignments which are in an effort to make it difficult to read the code
  • The Batch script contains instructions to do the following -
    • Copy “BatzBack.scr” to the root of drives Z thru G
    • Attempt to identify if the target system is either Windows XP, Windows NT or Windows 2000 based on the value returned from the instruction “VER”
    • If the system is determined to be Windows 2000, virus may attempt to replace all files with .EXE extension in all directories with BatzBack.scr, and also attempt to replace all .SCR files with BatzBack.scr
    • If the system is determined to be Windows XP or NT, virus may attempt to replace all .EXE files in the current folder and one subfolder, and in the environment PATH with the content of BatzBack.scr
    • If the day of the week is determined to be Sunday, virus may attempt to write a debug script as “LONEInc.exe” and execute it – this file is a short binary file with instructions to overwrite the boot sector – virus may also attempt to format drives D, E, F and G using the FORMAT instruction
  • Virus may create a script.ini configuration file into the mIRC program folder with instructions to send the file “BatzBack.scr” from the Windows\System folder
  • Virus may modify the system registry to load itself at Windows startup –
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    BatzBack = C:\Windows\BatzBack.scr

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR