Skip to content

BAT_SPTH.A

Overview

Malware type: Batch File

Aliases: IRC-Worm.BAT.Spth.a (Kaspersky), Univ.script/99a (McAfee), BAT.YpocPX (Symantec), Worm/Spth.A (Avira), Worm:BAT/Spth.A (Microsoft)

In the wild: No

Destructive: No

Language: English

Platform: Windows

Encrypted: Yes

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

Medium

Description: 
This batch virus works on the CMD console of Windows 2000 or XP. The CMD console is similar to the COMMAND prompt of Windows 9x/ME. This file contains encrypted code and a polymorphic engine capable of modifying appended sections of the virus.

To infect, it overwrites its viral codes to batch files in the Windows directory.

This virus is capable of propagating via mIRC.

For additional information about this threat, see:

Description created: Nov. 27, 2002 6:44:36 AM GMT -0800


Technical Details

Size of malware: 4,178 Bytes

Initial samples received on: Nov 27, 2002

Payload 1: It overwrites batch files in the Windows directory

Trigger condition 1: Upon execution

Details:
This is a batch file virus that is capable of propagating via mIRC, which is an Internet Relay Chat application. It only works in Windows 2000 and XP platforms.

Upon execution, this malware clears the screen then stores an initial copy of the virus code to a file SPTH.BAT in the current directory. Using arithmetic conditions and operators, the malware appends the rest of its code in the file SPTH.BAT in such a way that the code sections are mixed up. In this manner, the virus would physically appear different from its original code.

Then it copies a SPTH.BAT file to a C:\mIRC\SATURN.BAT file. Afterwards, it creates another file C:\mIRC\SCRIPT.INI containing script code that spreads the SATURN.BAT file to all computers connected to the same mIRC chatroom as the infected system. Trend Micro detects this script.ini file as IRC_SPTH.A.

Finally, it infects all batch files in the Windows directory by overwriting each with its malware code contained in the SPTH.BAT file.

Other Details

This virus contains the following text strings:

----------- BatXP.Saturn ********** by Second Part To Hell -----------< I think, you are looking at the code and think: "What the hell is this?" The answer is: A Windows XP Batch polymorph virus :D WinXP is using a program named CMD.EXE instate of COMMAND.COM for DOS You're able to make the really nice things with CMD which you wasn't able to do it with COMMAND.COM. Information about the virus: Virusname......................: BatXP.Saturn Virusauthor....................: Second Part To Hell Size...........................: The poly-engine has 1.301 Bytes The whole virus has 4.158 Bytes Encrypted......................: Yes, but only the virus part. I'll crypt also the poly engine in next versions. Polymorphic....................: Yes written from 20.11.2002 to 22.11.2002 in Austria ----------------------------------------------------------------------

Revision History:

First pattern file version: 1.396.06
First pattern file release date: Nov 27, 2002

Solution

Minimum scan engine version needed: 6.810

Pattern file needed: 2.366.10

Pattern release date: Jan 23, 2005


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as BAT_SPTH.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Please restore from backup the batch files originally stored in your Windows directory.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.


Connect with us on