BAT/BWG.V409

Analysis

This virus was created using an MS-DOS command line Batch file virus generator, also known as a Batch virus kit. The kit is known as "BWG", and this virus was created using version 4.09 of the kit. When the constructor is run, it gives the virus author choices on how to construct the virus [see below]

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + BATCH WORM GENERATOR 4.09 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + WRITE WORM (1) INFORMATION (2) THANKS AND GREETS (3) INTERNET UPDATE (4) END (5) Please choose:

The user of the toolkit can choose several variations to create different appearing viruses, but all the creations have the similar constructions making them identifiable.

A virus author would begin to create a virus by choosing option 1, and answering these presented questions:

1. Name of the worm:
2. Name of the Author:
3. Name of the Batch file:

Next the constructor has questions about "Activation of the worm", such as these:

• Shall the worm copy to the german start-upfolder (Y/N):
  
• Shall the worm copy to the english start-upfolder (Y/N):
  
• Shall the worm activate itself with the win.ini (Y/N):
  
• Shall the worm activate itself with the system.ini (Y/N):
  
• Shall the worm activate itself with the registry (Y/N):

The constructor then asks questions about "Internet Spreading", such as these:

• Shall the worm spread with MS-Outlook (Y/N):
  
• Shall the worm spread with KAZAA (Y/N):
  
• Shall the worm spread with mIRC (Y/N):
  
• Shall the worm spread with pIRCh (Y/N):
  
• Shall the worm spread with Virc (Y/N):

The next questions involve "Spreading inside a PC":

• Shall the worm infect all .BAT files (Y/N):
• Shall the worm infect Windows-root (Y/N):
• Shall the worm copy onto the Desktop (Y/N):
• Shall the worm copy to a Disk (Y/N):

Then, questions are presented about "File dropping":

• Shall the worm drop to REG files (Y/N):
• Shall the worm drop to VBS files (Y/N):
• Shall the worm drop to PIF files (Y/N):
• Shall the worm drop to LNK files (Y/N):

Continuing, questions arise about "Anti AV Techniques", and "Other" properties:

• Shall the worm-code include 1000 Fake Bytes (Y/N):
• Shall the Worm delete some AV programs (Y/N):
• Shall the worm use polymorphism (Y/N):
• Shall the Worm write a message (Y/N):
• Shall the worm create a logic hard drive (Y/N):
• Shall the worm copy itself to a undeletable folder (Y/N):
• Shall the worm include the EICAR-VIRUS-TEST-FILE (Y/N):
• press enter...

Upon completing the Batch Worm Generator questionnaire, the kit writes a generated file infector based on the responses of the quiz. Due to the possible variations, the size of the script is also variable.

Miscellaneous
This virus is somewhat obscure, thus there is a very small possibility of an incorrect detection. Detection of this virus has been improved since the initial detection was created in the AV db.

Recommended Action

FortiGate systems:

• check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option
  FortiClient systems:
  
• Quarantine/Delete infected files detected