Although script malware, especially in the context of HTML has made a comeback to our detection lists, many days have passed since the last time I analysed a self-propagating batch file.
There are however few interesting things about Bat/LoseSlp-A: it seems like it is a part of a larger malicious package, but it functions itself well without the additional components. It behaves like a typical Win32 PE worm – it copies itself to the Windows folder and sets the registry run entry to ensure it is started when the user logs into Windows.
Furthermore, it also acts as a fully-functional disk-hopping worm – it copies itself to the root folder of drives C: to Z: and sets up an autorun.inf file so that the worm is run when an infected drive is mounted (of course, this technique works only on Windows). We have already blogged few times about increasing number of malware samples affecting USB based drives and Bat/LoseSlp-A only confirms the trend. USB drives are a modern equivalent of floppy disks. I fear that the awareness of dangers of sharing USB drives is rather low and that the danger of infection through this significant infection vector is largely underestimated.