W32/Batzback.A
Analysis
- Virus is 32bit with a compressed size of 25,088
bytes
- If virus is run, it may shut down AOL Instant Messenger
chat clients
- Virus may write itself to the local system in several
places in an effort to maximize its potential spread
through mIRC, AOL Instant Messenger and Kazaa –
aim95\buddyshare.exe
Kazaa\My Shared Folder\EminEmSpearsBritney.Scr
(Windows)\BatzBack.scr
(Windows\System)\BatzBack.scr
- Virus creates a Batch script file into the C:\Windows
folder named “BatzBack.bat“ and executes
it – this Batch script contains obfuscated variable
assignments which are in an effort to make it difficult
to read the code
- The Batch script contains instructions to do the
following -
- Copy “BatzBack.scr” to the root
of drives Z thru G
- Attempt to identify if the target system is
either Windows XP, Windows NT or Windows 2000
based on the value returned from the instruction
“VER”
- If the system is determined to be Windows 2000,
virus may attempt to replace all files with .EXE
extension in all directories with BatzBack.scr,
and also attempt to replace all .SCR files with
BatzBack.scr
- If the system is determined to be Windows XP
or NT, virus may attempt to replace all .EXE files
in the current folder and one subfolder, and in
the environment PATH with the content of BatzBack.scr
- If the day of the week is determined to be
Sunday, virus may attempt to write a debug script
as “LONEInc.exe” and execute it –
this file is a short binary file with instructions
to overwrite the boot sector – virus may
also attempt to format drives D, E, F and G using
the FORMAT instruction
- Copy “BatzBack.scr” to the root
of drives Z thru G
- Virus may create a script.ini configuration file
into the mIRC program folder with instructions to
send the file “BatzBack.scr” from the
Windows\System folder
- Virus may modify the system registry to load itself
at Windows startup –
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
BatzBack = C:\Windows\BatzBack.scr
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |