Skip to content
1-888-762-8736(M-F 8:00am-5:00pm CST)
1-877-218-7353(M-F 8:00am-5:00pm CST)
href="http://www.trendmicro.com/us/enterprise/index.html" id="ENT-overview-test2" title="SEE ALL ENTERPRISE SOLUTIONS">Enterprise Overview
Malware type: Batch File
Aliases: IRC-Worm.BAT.Spth.a (Kaspersky), Univ.script/99a (McAfee), BAT.YpocPX (Symantec), Worm/Spth.A (Avira), Worm:BAT/Spth.A (Microsoft)
In the wild: No
Overall risk rating:
Description: This batch virus works on the CMD console of Windows 2000 or XP. The CMD console is similar to the COMMAND prompt of Windows 9x/ME. This file contains encrypted code and a polymorphic engine capable of modifying appended sections of the virus.
To infect, it overwrites its viral codes to batch files in the Windows directory.
This virus is capable of propagating via mIRC.
For additional information about this threat, see:
Description created: Nov. 27, 2002 6:44:36 AM GMT -0800
Size of malware: 4,178 Bytes
Initial samples received on: Nov 27, 2002
It overwrites batch files in the Windows directory
Trigger condition 1:
Details:This is a batch file virus that is capable of propagating via mIRC, which is an Internet Relay Chat application. It only works in Windows 2000 and XP platforms.
Upon execution, this malware clears the screen then stores an initial copy of the virus code to a file SPTH.BAT in the current directory. Using arithmetic conditions and operators, the malware appends the rest of its code in the file SPTH.BAT in such a way that the code sections are mixed up. In this manner, the virus would physically appear different from its original code.
Then it copies a SPTH.BAT file to a C:\mIRC\SATURN.BAT file. Afterwards, it creates another file C:\mIRC\SCRIPT.INI containing script code that spreads the SATURN.BAT file to all computers connected to the same mIRC chatroom as the infected system. Trend Micro detects this script.ini file as IRC_SPTH.A.
Finally, it infects all batch files in the Windows directory by overwriting each with its malware code contained in the SPTH.BAT file.
This virus contains the following text strings:
----------- BatXP.Saturn ********** by Second Part To Hell -----------<
I think, you are looking at the code and think: "What the hell is this?"
The answer is: A Windows XP Batch polymorph virus :D
WinXP is using a program named CMD.EXE instate of COMMAND.COM for DOS
You're able to make the really nice things with CMD which you wasn't
able to do it with COMMAND.COM.
Information about the virus:
Virusauthor....................: Second Part To Hell
Size...........................: The poly-engine has 1.301 Bytes
The whole virus has 4.158 Bytes
Encrypted......................: Yes, but only the virus part.
I'll crypt also the poly engine in
written from 20.11.2002 to 22.11.2002
Minimum scan engine version needed: 6.810
Pattern file needed: 2.366.10
Pattern release date: Jan 23, 2005
Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as BAT_SPTH.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.
Please restore from backup the batch files originally stored in your Windows directory.
Trend Micro offers best-of-breed antivirus and content-security solutions for your
small and medium business,
or home PC.
Connect with us on
| | | |