The document summarizes a student's final project to create a batch file virus hosted on a USB drive. The virus copies and deletes files from targeted directories and fills the space with junk files. The student reformatted the USB drive to have a CDFS partition containing the virus files, which allowed auto-execution on Windows computers. Testing was done using virtual machines. The student discusses challenges faced and ways the virus could be improved, such as disabling security software and persisting after reboots. The project helped the student better understand malicious software and batch file programming.
1. Running Head:Batch File Virus Project Final Paper
Final Project Paper
By: Stephen L. Whisman
Student ID # 1698547
Embry-Riddle Aeronautical University
Spring 2015
4/27/2015
2. Batch File Virus Project Final Paper 1
Batch File Virus Project Final Paper
The final project that I chose was to create a virus that is hosted on a flash
drive and is auto run when plugged into computer. The program has the ability to
execute almost completely invisibly and will navigate to and steal files from a specific
known directory(s) that are pre-programed into it. After all of the files in a targeted
directory are copied to a location on the USB they are all deleted from the directory
they were taken from. Once all of the files are deleted the program will copy a large
picture file onto the victim computer and then replicate that file until the directory is
completely full.
Unfortunately when I first started working on this program I realized that
Windows had disabled the auto run function for removable media, in order to stop
malicious software such as this from being executed automatically, and I was unable
to find a workaround to this problem for quite a few weeks. However, I had previously
heard of a method of creating a small partition on a flash drive that is interpreted by
the computer as a CDFS partition. The idea came from the U3 smart drives that were
being created back in the mid-late 2000s which would auto launch, from a CDFS
partition on the flash drive, applications upon insertion of the USB drive. This is
important for my project because Windows 7 and later versions still have the ability
to auto run from a CD that contains software if the targeted computer has enabled
the auto run software from CD feature.
3. Batch File Virus Project Final Paper 2
Further research revealed that SanDisk discontinued their line of U3 smart
drives due to a deal made with Microsoft, most likely for security reasons, and the
idea of CDFS partitioned flash drives started to fade from commercial retail.
However, programmers from around the world continued to develop open source
software capable of re-formatting flash drives to have a CDFS partition along with a
normal NTFS partition. The issue with these re-formatting programs is that they are
chip-set dependent, meaning that certain programs only are capable of formatting
certain USB drives depending on the chip-set used inside it.
This presented another problem which was that not all flash drives have the
capability of being formatted in such a way and trying to do so without the proper
software tools or USB drives would result in permanent damage to the removable
media. I was however able to discover a database of disk partitioning utilities on a
website called USBDev.ru which hosts a vast variety of disk utilities as shown in Figure
1. In order to reformat a USB drive properly I needed to search the entire database
for the tool that worked specifically for one of my flash drive’s chipsets. This required
many failed attempts and it turned out that I just so happened to have one flash drive
that was format table with a CDFS partition. Figure 1: USBDev.ru
4. Batch File Virus Project Final Paper 3
The flash drive that I was able to use for my project is a SanDisk Ultra USB 3.0
16GB. In order to find the chip-set that was included with the USB drive I used three
tools from USBDev.ru called CheckUDisk, ChipEasy, and FlashGenius. These utilities
showed me that my USB drive has a Phison PS2251-03 chipset controller. The software
that I required to format my USB drive properly is a formatting tool called Phison
ModeConverter which is capable of creating one NTFS partition and also creating a
CDFS partition with a premade .ISO file “burned” into it. The .ISO file stores all of my
script files that are to be loaded into the CDFS partition and is created by a free ISO
creator software called Free ISO Creator. Figure 2 shows this program taking the
directory that has all of my .bat, .vbs, and .inf files that makeup the virus and
compressing it into an .ISO file.
Figure 2: Free ISO Creator
5. Batch File Virus Project Final Paper 4
Once the ISO file has been created the flash drive is then inserted into a free
USB port and Phison ModeConverter is then launched. ModeConverter automatically
finds the proper drive letter associated with any Phison chipset controller so the user
does not accidently try and format a drive that is not compatable. Next the proper
settings are chosen, the NTFS partition is named, and the ISO file that was created
earlier is chosen to be “burned” into the CDFS partition. The naming of the NTFS
partition is important because the .bat file uses this name to identify which drive to
copy data to. Then the convert button is clicked and the directions are followed until
the removable media has been fully formatted. Figure 3 shows ModeConverter with
the correct settings and drive name before and after convert is clicked.
Figure 3: ModeConverter with Correct Settings and Drive Name, Before and After Conversion
Once the flash drive has been formatted it will immediately be ready to use
once it is plugged back into the computer. In order to perform tests on the program I
needed to set up a few virtual machines, to prevent damage to my home computer,
6. Batch File Virus Project Final Paper 5
which required me to install Oracle Virtual Box. Virtual Box allows a virtual machine
to be created that can be used to test software. With this program I created and
copied virtual hard drives installed with Windows 7 Home Premium 64-Bit onto a
removable hard drive. Once one of these virtual machines is running the proper auto
run setting for software on CDs is selected. Now the USB drive can be inserted into
the virtual machine to test how it executes. Figure 4 shows the virtual machines auto-
run settings with the correct values selected, the image on the left, while the image
on the right shows what the user using the computer should see when the script is
running correctly.
Figure 4: Auto-Run Settings with Correct Values (Left) and Correct Program Execution (Right)
7. Batch File Virus Project Final Paper 6
You may have noticed that in the above right figure there is no command line
running and it looks like nothing is happening when in reality the program is just
running invisibly in the background. This is because my CDFS partition of the USB
contains a file called launch.bat that has a call to start running wscript.exe with the
invisible.vbs script file and virus.bat. The invisible.vbs file contains a short script that
enables virus.bat to be run invisibly with the exception of a blank command line
popping up for less than a second when the program starts executing. Figure 5 shows
the contents of invisible.vbs displayed in notepad.
Figure 5: Contents of Invisible.vbs
Before going any further I would like to explain why I chose to use a batch file
to be my virus and what a batch file is. The choice to use a batch file was due to the
fact that they can perform a variety of tasks and are more difficult to detect than
many other programing languages. They are commonly used to automatically update
things when a certain event occurs and to format data storage mediums. They can
also be used to steal information, irritate victims by wasting CPU resources, delete
8. Batch File Virus Project Final Paper 7
windows files, and disable both the AntiVirus and Firewall (“Microsoft Corporation”,
2015).
Batch files, also called a batch program or script, were designed to simplify
routines or repetitive tasks back in MS-DOS. They still exist today as a relatively
unused and unknown feature in windows operating systems. They are written in an
unformatted text file that includes one or more commands for the command line and
is saved with a .bat or .cmd extension. Any commands that work in the windows
command line are allowed along with commands like for loops, goto statements, and
if statements that are used to tell the program what to do when executing (“Batch
File”, 2015). Whenone of these script files are executed the commands within are
executed line by line until the end of the file is reached, which results in the
termination of the script. The only exception to the sequential execution of the
commands is when the program is in a for loop or hits a goto statement.
My virus's launch.bat file, that initiates the execution of virus.bat, is called by
the autorun.inf file which the computer automatically launches once the removable
media is plugged in. The batch file called virus.bat is the main script file that
contains the code that identifies if the drives that have been pre-programmed exist or
not and the code that copies, erases, and fills the working directory with spam. Figure
6 below shows all of the files that are formatted into the CDFS partition on the left
and the contents of virus.bat on the right.
9. Batch File Virus Project Final Paper 8
Figure 6: All Files Apart of CDFS partition (Left) and Contents of virus.bat (Right)
The program that I have written above is extremely modifiable and can easily
be changed to implement other potentially harmful actions. For example, code could
be added that searches for every available media storage drive letter in order to copy
all the data that is connected to a computer. Other code could be used that saves a
separate .bat file, that copies junk files into a hidden directory, into the windows file
system and cause it to auto run on computer startup. This would be a useful function
because it effectively uses up all of the system memory and the victim would have a
hard time finding out why.
10. Batch File Virus Project Final Paper 9
I desired to implement a way to disable the Antivirus, firewall, and networking
capabilities but was unable to find a way. I was able to create a batch file that did all
of these things but it was not capable of being run invisibly. Since I want it to run
invisibly this was unacceptable so I decided not to implement it into my final
submission. I also wanted to implement a way to auto run on system startup but I
honestly ran out of time and was unable to add it to the final submission. Figure 7
shows the code needed to disable the system security, firewall, and network adapter.
Figure 7: Network Capability and Security Disable
Overall, batch files can be both an incredibly useful and yet dangerous tool.
This being said they are also very difficult to wright and fully understand if the
programmer does not understand the proper syntax that goes along with the MS-DOS
command line interface. One space in the wrong location will cause the batch file to
operate improperly resulting in a faulty execution.
The final submission does function correctly and has been used to copy more
than 2GB of data at a time from multiple disk drives that were connected to a
computer, even ones that are shared over a network. It also deletes the users profile
11. Batch File Virus Project Final Paper 10
directory and fills it with junk files which can result in loss of valuable information
because that space is now holding new data instead of just being unindexed from
memory. Figure 8 shows the user directory after the virus has finished executing.
Notice that the computer is giving an error message that it is low on disk space
because of the junk file replication.
Figure 8: User Directory After
In conclusion, I am disappointed that I was unable to implement more
advanced features into this project because of time constraints. This project is
probably something that I will continue to slowly modify in my free time. I was
continually challenged and confused by the batch script syntax and also had a difficult
time navigating through USBDev.ru even after the page had been translated from
12. Batch File Virus Project Final Paper 11
Russian to English. There are so many different tools and versions of tools that even
the ones that are listed for your chipset controller may not even work. Just
discovering which chipset controller my drives had was a lengthy task because a lot of
the tools are also extremely buggy. I found this project quite challenging and feel
that I have a much greater knowledge of how malicious programs are able to cause so
much frustration on a victim and damage to a computer.
13. Batch File Virus Project Final Paper 12
Bibliography
Batch File Help. (2015). Retrieved April 27, 2015, from
http://www.computerhope.com/batch.htm
Microsoft Corporation. (2015). Retrieved April 27, 2015, from
http://www.microsoft.com/resources/documentation/windows/xp/all/proddo
cs/en-us/batch.mspx?mfr=true