Bat.Naive.4894
   
   
     _________________________________________________________________
   
   Bat.Naive.4894 is a not dangerous memory resident parasitic virus. It
   hooks INT 21h and writes itself at the beginning of .BAT-files. The
   infected file looks as follows (the strings between '[' and ']' are
   comments):

 @rem NAIVE
 @if exist naive.* goto naive
 @if "%range_check%=="yes goto naive
 @echo>naive.com [ binary data1 ]
 @naive.com
 @if not errorlevel 33 goto superwork
 @del>nul naive.com
 @goto naive
 :superwork
 @echo>naive.com [ binary data2 ]
 @echo>naive.dat [ ASCII text ]
 @echo>>naive.dat [ ASCII text ]
 @echo>>naive.dat [ ASCII text ]
  [ repeated ... ]
 @echo>>naive.dat
 @naive.comnaive.exe
 @del>nul naive.com
 @del>nul naive.dat
 @naive.exe>nul
 @del>nul naive.exe
 @set range_check=yes
 :naive
 [ original BAT-file ]

   The "binary data1" contains the code of "Are you here?" call, the
   "binary data2" contains the ASCII-to-BIN decoder, the "ASCII text"
   contains the code of the virus converted to ASCII text.
   
   During execution of such a file the virus receives the control. It
   checks the ENVIRONMENT area for RANGE_CHECK=YES string and returns if
   it is set. Then the virus creates the NAIVE.COM file, writes "Are you
   here?" instructions into there, executes that file and checks the
   result ERRORLEVEL value.
   
   The NAIVE.COM file contains the INT 21h call with AH=F6h only. If the
   memory resident virus copy already exists in the memory it returns a
   12345678h value in CX:DX registers, and NAIVE.COM exits with
   ERRORLEVEL=33. If there is no TSR virus copy, NAIVE.COM exits with
   ERRORLEVEL=32.
   
   If the virus is already installed, the commands of the BAT file delete
   the NAIVE.COM file and pass the control to the original text. In
   another case the virus creates two files: NAIVE.DAT and NAIVE.COM (the
   virus overwrites the previous NAIVE.COM file). The virus writes
   ASCII-to-BIN decoder into COM file, and ASCII data into DAT file. Then
   the virus executes the command

 @naive.comnaive.exe

   that creates the NAIVE.EXE file, reads the ASCII data from NAIVE.DAT
   file, decodes it to binary instructions, and writes it into the
   NAIVE.EXE file.
   
   After that conversion the virus deletes NAIVE.COM and NAIVE.DAT files,
   and executes the NAIVE.EXE file. That file installs the virus memory
   resident and returns to the BAT file. After installation the virus
   deletes the NAIVE.EXE file, defines the ENVIRONMENT string
   RANGE_CHECK=YES, and passes the control to the original BAT-file
   commands.
   
   The NAIVE.EXE file being executed performs the same "Are you here?"
   call as described above. In case of an already installed TSR copy the
   virus returns with a INT 20h call. If there is no TSR copy, the virus
   checks its internal "generation" counter and tries to display the
   message in Russian, but fails because the virus never increases that
   counter, and fails twice because all messages are redirected to NUL
   device:

 @naive.exe>nul

   Then the virus hooks INT 21h with Get/SetVector DOS functions and
   leaves its TSR copy with Terminate and Stay Resident INT 27h call.
   
   The INT 21h handler intercepts "Are you here?" AH=F6h function (the
   virus returns CX:DS=12345678h) and ChangeDir AH=3Bh function. On
   ChangeDir calls, the virus searches for not infected .BAT-files, moves
   them down for 4894 bytes, and writes into their beginning the BAT
   instructions that are listed above. Then the virus encodes itself into
   ASCII text, and writes that text into there.
   
   
     _________________________________________________________________
   
   &copy; Copyright 1995 Eugene V. Kaspersky
