Bat/LoseSlp-A – a batch worm curiosity

Although script malware, especially in the context of HTML has made a comeback to our detection lists, many days have passed since the last time I analysed a self-propagating batch file.

The submission of Bat/LoseSlp-A came as a mini-surprise to my eyes so much more used to x86 assembly and JavaScript code. These days .BAT files are often used by banking Trojans for removing the traces of the infection once the payload was successfully delivered, but they are usually very far from the complexity of Bat/LoseSlp-A (although Bat/LoseSlp-A is not a very complex piece of code).

There are however few interesting things about Bat/LoseSlp-A: it seems like it is a part of a larger malicious package, but it functions itself well without the additional components. It behaves like a typical Win32 PE worm – it copies itself to the Windows folder and sets the registry run entry to ensure it is started when the user logs into Windows.

Furthermore, it also acts as a fully-functional disk-hopping worm – it copies itself to the root folder of drives C: to Z: and sets up an autorun.inf file so that the worm is run when an infected drive is mounted (of course, this technique works only on Windows). We have already blogged few times about increasing number of malware samples affecting USB based drives and Bat/LoseSlp-A only confirms the trend. USB drives are a modern equivalent of floppy disks. I fear that the awareness of dangers of sharing USB drives is rather low and that the danger of infection through this significant infection vector is largely underestimated.