Just wonderin' :-)

[Michael D. Alligood]

I guess I will join this thread and post my 2 cents in as well. Let us
start with the basics: What is a virus? According to Microsoft, a
viruses are, "(Computer viruses are) software programs that are
deliberately designed to interfere with computer operation, record,
corrupt, or delete data, or spread themselves to other computers and
throughout the Internet." This includes *.bat files. So can *.bat files
be viruses? Of course. It is a possibility. However, *.bat files are old
technology (but that is still in use today). The probability of a *.bat
virus spreading on the internet is slim; at least one that is spreading
quickly in the wild. A batch file is a collection of commands; although
not as sophisticated as today's scripts.

I remember old batch files that would reboot your computer and format
your c:\ drive or worse fdisk the whole drive. To knock on wood, I have
not run across many viruses nowadays that do this. IMHO, I worry about
spyware 10x more than viruses.

I feel as if I have digressed, so I will stop now. I hope that helps


--
Michael D. Alligood
MCSA, MCDST, MCP, A+,
Network+, i-Net+, CIW Assoc.,
CIW Certified Instructor

 

[BoaterDave]

Hello Michael,

Thank you for responding. Your comments were rather supportive of my theory.

I haven't (or so I thought!) intimated that *.bat files are spreading 'in
the wild', rather that I feel that they may be being utilised by (probably)
a small number of 'bad guys' who are hiding within a specific newsgroup, the
purpose of which is supposed to help others with their PC problems (*still*
no concrete proof, which is highly frustrating!). There are, though,
hundreds of users of the 'host' server, so many users may be compromised.

When I discussed the threat I received with our Police (once I had recovered
funds fraudulently taken from my bank account by PayPal last year) I
discovered just how massive Cybercrime has become. Discussion with their
Hi-Tech crime unit then led me to investigate further, and I discovered
findings by Sunbelt Software which, in turn, made me realise that no-one
really knows just *how* such crime is growing. So, perhaps in memory of my
son, I've done my best to identify how it *may* be being done (at least in
part).

I feel that I can take the matter little further on my own.

Thanks again.

David

PS You will find many posts I've made before if you 'Google' for BoaterDave,
but find out just who *I* am if you 'Google' for BoaterDaveTJ
____________________________________________________

 

[BoaterDave]

Thanks Shenan.

............... but they *could* be? Please see my response to Michael.

David
_________________________________________________

 

[BoaterDave]

Thank you for your view, Ken.

.............. so if they *could* be, would they be identified by an
anti-virus scan?

I think not. You may know different - I'm still willing to learn!

Please see my response to Michael. Thank you.

David
_________________________________________________
Although it's possible that such

commands *could* be mailicious, there's nothing about their being in a bat
file that makes them so, and most bat files by far are completely
innoucuous.

Ken Blake - Microsoft MVP Windows: Shell/User

 

[Shenan Stanley]

Thanks Shenan.

.............. but they *could* be? Please see my response to

*.jpgs can have viruses.
*.doc files can contain macro viruses.
You can be infested with a LOT of malware just by visiting the wrong web
page.

I never said they could not be bad - matter of fact - I said they could be
bad. What I was disagreeing with was the assertion your young friend made
that you stated, "... One thing he mentioned recently was '.bat' files. He
was absolutely adamant that, with only two exceptions, other such files
indicate that a PC has been compromised, often without the knowledge of the
user. I have tried to convince others of this, but none believe me ..." <-
it's simply not true as stated. It does *not* indicate an infested/infected
machine at all - and in the majority of cases is 100% benign.

 

[BoaterDave]

Shenan - I appreciate you coming back to me yet again (I'm sure you must be
busy with other things, so thanks)

Perhaps you didn't read my response to Michael where I said:-

"My basic understanding now is that, as a 'bat' file is not a 'virus' per
se,
it would (probably) not be picked up by an anti-virus programme. However, I
suspect that if such a file was surepticiously placed on one's PC, it could
issue commands to make one's PC do just about anything, including being able
to make adjustments to, in my case, NIS 2006.

If I'm right about this (and I recognise that I may have got it wrong yet
again!) unless one specifically seeks out a suspicious 'bat' file, one's PC
could apparently be working normally whilst, at the same time, be acting as
a 'zombie' for unscrupulous persons unknown. (Perhaps that is what my
'script kiddie' meant - he's no academic, that's for sure!)"

I DO understand what you have explained to me. Thank you again.

HTH

David
____________________________________________

 

[Michael D. Alligood]

Almost all AV programs now have heuristics scanning. To further explain,
heuristics scanning "is similar to signature scanning, except that
instead of looking for specific signatures, heuristic scanning looks for
certain instructions or commands within a program that are not found in
typical application programs. As a result, a heuristic engine is able to
detect potentially malicious functionality in new, previously
unexamined, malicious functionality such as the replication mechanism of
a virus, the distribution routine of a worm or the payload of a trojan."
(Markus Schmall).

So along with detecting viruses by using "virus signatures", AV programs
also look for "certain instructions or commands within a program that
are not found in typical application programs." Possibly detecting your
*.bat files. While there is no golden AV program that detect all
suspicious programs, files and scripts -- and I do not want to continue
this thread with the "Best AV program" on the market, it should perform
heuristic scans to help locate these suspicious files/programs.

I hope this clears things up.

--
Michael D. Alligood
MCSA, MCDST, MCP, A+,
Network+, i-Net+, CIW Assoc.,
CIW Certified Instructor

 

[Ken Blake, MVP]

Thank you for your view, Ken.

.............. so if they *could* be, would they be identified by an
anti-virus scan?

I think not. You may know different - I'm still willing to learn!

Others here have called you a troll. I don't know anything of your past
postings, so I am willing to give you the benefit of the doubt, unless or
until you convince me that you are trolling. You are close to convincing me
of that, but I thought I would invest one more message before being sure.

So here's the story:

It's likely that many kinds of malicious statements in a bat file would not
be caught by a an anti-virus program. There are many kinds of malicious
software, and the kind you might find in a bat file would not be a virus,
and might not be caught. Anti-virus software does not catch everything, and
if you rely solely on anti-virus osftware for protection for security, you
are kidding yourself.

Let's say, for the sake of argument, that I want to create a file that would
delete the contents of an important folder like c:\program files. I could
write a batch file to do this, I could create an exe file to do this, I
could create a file that masqueraded as a jpg file (or any other type) to do
this. Regardless of how I did it, a virus checker might not catch it.

The point is that all of the various ways I might write something to perform
this malicious act are equivalent. There's nothing special about the bat
file, and that particular kind of file is no more risky than any other type
of file.

Over and above the points made above, you said "One thing he mentioned
recently was '.bat' files. He was absolutely adamant that, with only two
exceptions, other such files indicate that a PC has been compromised, often
without the knowledge of the user. I have tried to convince others of this,
but none believe me. "

Your young man's statement is *completely* false. There is risk in bat
files, as there is risk with any kind of files. With bat files, as with all
other files, you need to know what they are and where they came form before
you can trust them. The risk is not greater with bat files and the statement
that "with only two exceptions, other such files indicate that a PC has been
compromised" is complete and utter nonsense. If you are putting your trust
in someone who says that, you are very clearly trusting the wrong person. He
has no idea what he is talking about.

Feel free to disbelieve everything I, and everyone else here, has told you,
and trust your young man instead. It's entirely your choice.

 

[Tom Thumb.]

Mr. BoaterDave, have you ever heard of the saying that it is better to have
others wonder if you are an idiot than to open your mouth and remove all
doubt?



Hello TechB - nice to see you here!

I think you already know the danger of '.bat' files to us mere mortals.
My real, 'in-the-flesh', ex 'script kiddie' hacker turned PC consultant has
told
me so face-to-face. I'd rather trust him than you, I'm afraid.

David
__________________________________________________

 

[Frank Saunders, MS-MVP OE/WM]

My thanks to both Frank and Shenan. I appreciate your comments.

I've spent hundreds of hours 'experimenting'over the last 12 months,
culminating with a discussion with a young man (mid 20's) who is employed
in
a local computer shop. He is a self-confessed ex 'script kiddie' hacker
who
has now reformed and spends most of his time helping others by repairing
PC's and ridding them of 'nasties'. He is real and not just a 'virtual'
entity. I believe what he tells me. Perhaps that is because he is getting
married soon and has introduced me to his fiance.

One thing he mentioned recently was '.bat' files. He was absolutely
adamant
that, with only two exceptions, other such files indicate that a PC has
been
compromised, often without the knowledge of the user. I have tried to
convince others of this, but none believe me.

I was concerned about the web site because of the utilisation of '.bat'
files
if one follows the use of a HOSTS file, here:
http://mvps.org/winhelp2002/hosts.htm

That particular site is one I will vouch for. The BAT files there are not
harmful and can be quite useful. They are also quite well known. If I were
to use them I would change the names, however, but to something I was sure I
could remember. The reason is that they are so well known that malware
might look for them and try to change them to do something nasty.

 

[Frank Saunders, MS-MVP OE/WM]

Shenan - I appreciate you coming back to me yet again (I'm sure you must
be busy with other things, so thanks)

Perhaps you didn't read my response to Michael where I said:-

"My basic understanding now is that, as a 'bat' file is not a 'virus' per
se,
it would (probably) not be picked up by an anti-virus programme. However,
I
suspect that if such a file was surepticiously placed on one's PC, it
could
issue commands to make one's PC do just about anything, including being
able
to make adjustments to, in my case, NIS 2006.

If I'm right about this (and I recognise that I may have got it wrong yet
again!) unless one specifically seeks out a suspicious 'bat' file, one's
PC
could apparently be working normally whilst, at the same time, be acting
as
a 'zombie' for unscrupulous persons unknown. (Perhaps that is what my
'script kiddie' meant - he's no academic, that's for sure!)"

A BAT file can't run by itself. You might as well say that EXE and DLL
files are suspicious. They could be placed on the computer by something
else and do something nasty when run. There is no way that they are
inherently dangerous and certainly are not as dangerous as SCR files, which
may be screen savers but also may be script files.

 

[Frank Saunders, MS-MVP OE/WM]

Hello TechB - nice to see you here!

I think you already know the danger of '.bat' files to us mere mortals.
My real, 'in-the-flesh', ex 'script kiddie' hacker turned PC consultant
has told
me so face-to-face. I'd rather trust him than you, I'm afraid.

Your 'script kiddie' is an ignorant fear monger. I have seen many good and
useful BAT files and only one or two malicious ones. The main reason I
don't use BAT files anymore is that it's too easy to forget exactly what
such a file does and thus forget how to do it manually. Since my main
business is helping people I want to be able to tell my customers over the
phone how to do things that I would have written a BAT file for if it was
for my own use only.

You also seem to be expressing a common prejudice that only young people can
"know" computers. That's ridiculous. Yes, a lot of older people are
computer illiterate, but so are an awful lot of young people. The young
people can be more dangerous in their advice just because they subscribe to
this prejudice and think they know a lot simply because they're young and
have learned a few tricks.

 

[BoaterDave]

I really appreciate your comments, Michael.

Thank you for taking the time and trouble to help me.

Whilst I know that there are differing views, I'm now using NIS 2006 and
hope this will help protect my PC!

As I have personally not deliberately added any'bat' files to my PC, I have
deleted all but Autoexec.bat

David
______________________________________

 

[BoaterDave]

I appreciate your help, Ken. Thank you.

I will relay the comments which you and others have made and see what his
response is!

Cheers,

David
_______________________________________

 

[Michael D. Alligood]

And you can delete that as well. Windows XP has no need for it. As for
NIS 2006, may I ask how the performance of your computer has been since
installation. And may I also inquiry as to the amount of RAM you have
installed. I generally stay away from the "security suite" programs. The
exception would be Windows Live One Care that I currently have installed
on my laptop -- I really am a fan of this product.

--
Michael D. Alligood
MCSA, MCDST, MCP, A+,
Network+, i-Net+, CIW Assoc.,
CIW Certified Instructor

 

[Michael D. Alligood]

And by the way, you are more than welcome. I am glad I could assist you.

--
Michael D. Alligood
MCSA, MCDST, MCP, A+,
Network+, i-Net+, CIW Assoc.,
CIW Certified Instructor

 

[BoaterDave]

Hello again, Michael. I trust you enjoyed a great Christmas.

In general terms, my PC has responded well to using NIS 2006.
I have just 384Mb RAM (low by today's standards!) And an AMD 1300Mz
processor.
Not too fussed, as I'll upgrade to a new PC with Vista once it's released
here in the UK next year.

I've used Windows Live OneCare too and feel it will be very useful to many.

David
_______________________________________

 

[Michael D. Alligood]

You are running Windows XP, with NIS 2006 and only 384 megs of RAM???
And your PC is responding well?!? How much available RAM do you have
after startup?

--
Michael D. Alligood
MCSA, MCDST, MCP, A+,
Network+, i-Net+, CIW Assoc.,
CIW Certified Instructor

 

[BoaterDave]

My comment will be found at the bottom!

You are running Windows XP, with NIS 2006 and only 384 megs of RAM???
And your PC is responding well?!? How much available RAM do you have
after startup?

--
Michael D. Alligood
MCSA, MCDST, MCP, A+,
Network+, i-Net+, CIW Assoc.,
CIW Certified Instructor

Hello!

An updated bit of info!

Quote:

Not necessarily, no. This dummy virus doesn't actually cause any
damage to the system. However it does make changes to the registry
from the command line.

Now the one I wrote back in the days of Windows 95/98, did. It
rendered the hard drive un bootable. In other words, once the victim
restarted their computer it halted on a black screen with the words
"Missing operating system" as it deleted key boot files; io.sys,
msdos.sys and command.com.

The only recourse from that (should one be so lucky) is to boot from a
system diskette and "sys" the drive from the command line.

Issuing the command: sys C: would fix that by putting those files back
onto the hard drive.

I also had two files from the Windows directory being targeted as
well.. they were user.dat and user.da0. Which meant that any and all
programs that were installed would have to be reinstalled again since
the system's registry would be gone too.

A "dummy virus" is so named due to the fact there are no actual virus
code antivirus software could scan for. These were merely batch files
(files that use the .bat extension) that contained commands the
computer would recognize and execute.

If I really wanted to be devious I could use something like this in a
batch file....

@ECHO OFF
CD/
attrib -r -a -s -h ntldr
del ntldr
ECHO.
ECHO Please restart your system...
ECHO.

In the above example, regardless what directory that was ran from it
would go right to the root of the drive. At that point it would remove
the read only, archive, system and hidden attributes to ntldr then
delete the file without confirmation.

But that would render the system inoperable and display the "NTLDR
missing" message. My method makes things more interesting due to the
simple fact that I could use the command: net view \\ip.addy.goes.here
to look for the shared drive. Unless I knew the IP address was static.

Then once I found it issue the command net use * \\ip.addy.goes.here\C
to map the drive. It basically allows me to see the hard drive in My
Computer as though it were physically attached to my system by adding
another drive letter. Then I could do whatever I wanted.. copy
files\folders from their hard drive to mine or vice versa, move
files\folders around, delete files, rename files, etc.. and they would
never know.

**

I'm wondering if the author is correct in what he claims. Some guidance on this will be welcomed!

Dave

 

[Tim Meddick]

If your query referred to the ability of a batch file to disrupt an
NT-based system - then my answer would have to be ; "only if such a
batch-file was executed by a user with administrator privileges (on XP
only - vista / W7 gives an extra warning asking if it was you who really
initiated some risky code) would it be able to remove the essential
boot-loader system-file "ntldr" - otherwise, normal limited users would be
protected from such dodgy batch-code by the default usage-rights of files
and folders that reside within the root of the system-drive."

Plus, if the batch-file (or any one of a number of "vulnerable" executable
file-types) was downloaded from the internet, systems from 2K onward give
an extra warning of possible risk on any user attempting to execute it for
the first time.

But you'd have to a bit mental in the first place to deliberately execute a
strange batch-file that you had not first investigated it's contents for
yourself - let alone leaving it to AV scanning!!...

==

Cheers, Tim Meddick, Peckham, London.