BatzBack | |
---|---|
Type | Multi-vector worm |
Creator | Gigabyte |
Date Discovered | 09-APR-2001 |
Place of Origin | Mechelen, Belgium |
Source Language | Logo |
Platform | SuperLogo on MS Windows* |
File Type(s) | .lgp, .vbs |
Infection Length | 4,175 bytes |
Logic is the first and only worm, a proof of concept, written in the Logo language. It takes advantage of SuperLogo's "PRINTTO" command to write self-replicating code in VBS to get around Logo's inability to support mailing or executables. It was coded by Gigabyte, using SuperLogo in Belgium in 2001. It is completely non-destructive and does not infect or overwrite files.
Behavior
Logic can arrive on a system either via email or IRC. When arriving through an email, the subject is "Hey friends!" and the message is "Hello! Look at my new SuperLogo program! Isn't it cool?". Its attachment is named Logic.lgp.
When executed, it saves a copy of itself as \Mirc\Download\Logic.lgp, a file which is deleted after execution. It creates the file Startup.vbs in the Start Menu's startup folder. It will also change some shortcuts to some common Windows applications like Notepad to point to the VBS. This file is responsible for sending copies of the worm to the first 80 contacts in the user's Outlook address book. It only activates when the computer is restarted.
Logic creates the file Script.ini, which helps it use mIRC to spread. The worm then searches for itself in the \Mirc\Download folder. If it does not find itself, then the worm will not spread by IRC. It only searches the drives C, D, and E. It also modifies the file Winstart.bat file in the Windows folder, assuming it finds it, so it displays the message: "You think Logo worms don't exist? Think again!".
Origin and Effects
Logic was written by Gigabyte in Mechelen, Belgium in 2001. It was emailed to antivirus companies as a proof of concept and never released in the wild. As it is an educational language where code is used to control a turtle or other cursor to draw objects on screen, it can't send mail or generate executables. It can however write to files with a "PRINTTO [file]" command. SuperLogo itself was an English-language variation on the Slovak Comenius Logo implementation.
Sources
Douglas Knowles. Symantec Security Response, Logo.Logic. 16-NOV-2003
Peter Szor. The Art of Computer Virus Defense and Research, "3.7.8 SuperLogo Viruses". Symantec Press, Addison Wesley, Pearson Press: Upper Saddle River, New Jersey, USA. 2005 ISBN 0-321-30454-3