Batch File Virus Project Technical Paper

Running Head: Batch File Virus Project Final Paper

Final Project Paper

By: Stephen L. Whisman

Student ID # 1698547

Embry-Riddle Aeronautical University

Spring 2015

4/27/2015

Batch File Virus Project Final Paper 1

Batch File Virus Project Final Paper

The final project that I chose was to create a virus that is hosted on a

flash drive and is auto run when plugged into computer. The program has

the ability to execute almost completely invisibly and will navigate to and

steal files from a specific known directory(s) that are pre-programed into it.

After all of the files in a targeted directory are copied to a location on the

USB they are all deleted from the directory they were taken from. Once all of

the files are deleted the program will copy a large picture file onto the victim

computer and then replicate that file until the directory is completely full.

Unfortunately when I first started working on this program I realized

that Windows had disabled the auto run function for removable media, in

order to stop malicious software such as this from being executed

automatically, and I was unable to find a workaround to this problem for

quite a few weeks. However, I had previously heard of a method of creating a

small partition on a flash drive that is interpreted by the computer as a CDFS

partition. The idea came from the U3 smart drives that were being created

back in the mid-late 2000s which would auto launch, from a CDFS partition

on the flash drive, applications upon insertion of the USB drive. This is

important for my project because Windows 7 and later versions still have the

ability to auto run from a CD that contains software if the targeted computer

has enabled the auto run software from CD feature.


Further research revealed that SanDisk discontinued their line of U3

smart drives due to a deal made with Microsoft, most likely for security

reasons, and the idea of CDFS partitioned flash drives started to fade from

commercial retail. However, programmers from around the world continued

to develop open source software capable of re-formatting flash drives to

have a CDFS partition along with a normal NTFS partition. The issue with

these re-formatting programs is that they are chip-set dependent, meaning

that certain programs only are capable of formatting certain USB drives

depending on the chip-set used inside it.

This presented another problem which was that not all flash drives

have the capability of being formatted in such a way and trying to do so

without the proper software tools or USB drives would result in permanent

damage to the removable media. I was however able to discover a database

of disk partitioning utilities on a website called USBDev.ru which hosts a vast

variety of disk utilities as shown in Figure 1. In order to reformat a USB drive

properly I needed to search the entire database for the tool that worked

specifically for one of my flash drive’s chipsets. This required many failed

attempts and it turned out that I just so happened to have one flash drive


that was format table with a CDFS partition. Figure 1:

USBDev.ru

The flash drive that I was able to use for my project is a SanDisk Ultra

USB 3.0 16GB. In order to find the chip-set that was included with the USB

drive I used three tools from USBDev.ru called CheckUDisk, ChipEasy, and

FlashGenius. These utilities showed me that my USB drive has a Phison

PS2251-03 chipset controller. The software that I required to format my USB

drive properly is a formatting tool called Phison ModeConverter which is

capable of creating one NTFS partition and also creating a CDFS partition

with a premade .ISO file “burned” into it. The .ISO file stores all of my script

files that are to be loaded into the CDFS partition and is created by a free ISO

creator software called Free ISO Creator. Figure 2 shows this program taking

the directory that has all of my .bat, .vbs, and .inf files that makeup the virus

and compressing it into an .ISO file.


Figure 2: Free ISO Creator

Once the ISO file has been created the flash drive is then inserted into

a free USB port and Phison ModeConverter is then launched. ModeConverter

automatically finds the proper drive letter associated with any Phison chipset

controller so the user does not accidently try and format a drive that is not

compatable. Next the proper settings are chosen, the NTFS partition is

named, and the ISO file that was created earlier is chosen to be “burned”

into the CDFS partition. The naming of the NTFS partition is important

because the .bat file uses this name to identify which drive to copy data to.


Then the convert button is clicked and the directions are followed until the

removable media has been fully formatted. Figure 3 shows ModeConverter

with the correct settings and drive name before and after convert is clicked.

Figure 3: ModeConverter with Correct Settings and Drive Name, Before and After

Conversion

Once the flash drive has been formatted it will immediately be ready to

use once it is plugged back into the computer. In order to perform tests on

the program I needed to set up a few virtual machines, to prevent damage to

my home computer, which required me to install Oracle Virtual Box. Virtual

Box allows a virtual machine to be created that can be used to test software.

With this program I created and copied virtual hard drives installed with

Windows 7 Home Premium 64-Bit onto a removable hard drive. Once one of

these virtual machines is running the proper auto run setting for software on

CDs is selected. Now the USB drive can be inserted into the virtual machine

to test how it executes. Figure 4 shows the virtual machines auto-run


settings with the correct values selected, the image on the left, while the

image on the right shows what the user using the computer should see when

the script is running correctly.

Figure 4: Auto-Run Settings with Correct Values (Left) and Correct Program Execution (Right)


You may have noticed that in the above right figure there is no

command line running and it looks like nothing is happening when in reality

the program is just running invisibly in the background. This is because my

CDFS partition of the USB contains a file called launch.bat that has a call to

start running wscript.exe with the invisible.vbs script file and virus.bat. The

invisible.vbs file contains a short script that enables virus.bat to be run

invisibly with the exception of a blank command line popping up for less than

a second when the program starts executing. Figure 5 shows the contents of

invisible.vbs displayed in notepad.

Figure 5: Contents of Invisible.vbs

Before going any further I would like to explain why I chose to use a

batch file to be my virus and what a batch file is. The choice to use a batch

file was due to the fact that they can perform a variety of tasks and are more

difficult to detect than many other programing languages. They are

commonly used to automatically update things when a certain event occurs

and to format data storage mediums. They can also be used to steal


information, irritate victims by wasting CPU resources, delete windows files,

and disable both the AntiVirus and Firewall (“Microsoft Corporation”, 2015).

Batch files, also called a batch program or script, were designed to

simplify routines or repetitive tasks back in MS-DOS. They still exist today as

a relatively unused and unknown feature in windows operating systems.

They are written in an unformatted text file that includes one or more

commands for the command line and is saved with a .bat or .cmd extension.

Any commands that work in the windows command line are allowed along

with commands like for loops, goto statements, and if statements that are

used to tell the program what to do when executing (“Batch File”, 2015).

When one of these script files are executed the commands within are

executed line by line until the end of the file is reached, which results in the

termination of the script. The only exception to the sequential execution of

the commands is when the program is in a for loop or hits a goto statement.

My virus's launch.bat file, that initiates the execution of virus.bat, is

called by the autorun.inf file which the computer automatically launches

once the removable media is plugged in. The batch file called virus.bat is the

main script file that contains the code that identifies if the drives that have

been pre-programmed exist or not and the code that copies, erases, and fills

the working directory with spam. Figure 6 below shows all of the files that

are formatted into the CDFS partition on the left and the contents of

virus.bat on the right.


Figure 6: All Files Apart of CDFS partition (Left) and Contents of virus.bat (Right)

The program that I have written above is extremely modifiable and can

easily be changed to implement other potentially harmful actions. For

example, code could be added that searches for every available media

storage drive letter in order to copy all the data that is connected to a

computer. Other code could be used that saves a separate .bat file, that

copies junk files into a hidden directory, into the windows file system and

cause it to auto run on computer startup. This would be a useful function


because it effectively uses up all of the system memory and the victim would

have a hard time finding out why.

I desired to implement a way to disable the Antivirus, firewall, and

networking capabilities but was unable to find a way. I was able to create a

batch file that did all of these things but it was not capable of being run

invisibly. Since I want it to run invisibly this was unacceptable so I decided

not to implement it into my final submission. I also wanted to implement a

way to auto run on system startup but I honestly ran out of time and was

unable to add it to the final submission. Figure 7 shows the code needed to

disable the system security, firewall, and network adapter.

Figure 7: Network Capability and Security Disable

Overall, batch files can be both an incredibly useful and yet dangerous

tool. This being said they are also very difficult to wright and fully understand

if the programmer does not understand the proper syntax that goes along

with the MS-DOS command line interface. One space in the wrong location

will cause the batch file to operate improperly resulting in a faulty execution.


The final submission does function correctly and has been used to copy

more than 2GB of data at a time from multiple disk drives that were

connected to a computer, even ones that are shared over a network. It also

deletes the users profile directory and fills it with junk files which can result

in loss of valuable information because that space is now holding new data

instead of just being unindexed from memory. Figure 8 shows the user

directory after the virus has finished executing. Notice that the computer is

giving an error message that it is low on disk space because of the junk file

replication.

Figure 8: User Directory After


In conclusion, I am disappointed that I was unable to implement more

advanced features into this project because of time constraints. This project

is probably something that I will continue to slowly modify in my free time. I

was continually challenged and confused by the batch script syntax and also

had a difficult time navigating through USBDev.ru even after the page had

been translated from Russian to English. There are so many different tools

and versions of tools that even the ones that are listed for your chipset

controller may not even work. Just discovering which chipset controller my

drives had was a lengthy task because a lot of the tools are also extremely

buggy. I found this project quite challenging and feel that I have a much

greater knowledge of how malicious programs are able to cause so much

frustration on a victim and damage to a computer.


Bibliography

Batch File Help. (2015). Retrieved April 27, 2015, from http://www.computerhope.com/batch.htm

Microsoft Corporation. (2015). Retrieved April 27, 2015, from http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/batch.mspx?mfr=true

Documents

Batch File Virus Project Technical Paper