Is this (del.bat) malware or a prank?

Question

Yesterday, I discovered the following batch file running in my SysWOW64 folder:

@Echo Off
cd /d C:\Windows\SysWOW64\
:Start
del svchost.exe
If Exist svchost.exe Goto Start
del %0

I discovered it when I opened task manager, because I was losing battery like crazy. I have no idea how it started running, because there were no scheduled tasks for it, no services, startup etc., and it was running without a visible window (just cmd.exe)

Unfortunately, I killed it in a hurry, since it was maxing out resources, so I didn't catch the arguments, which would have helped make more sense from this. Has anyone experienced this before? I tried running the file through virustotal, which claims it is totally safe. Or is this a prank or something?

P.S. running Windows 10, fully updated. Malwarebytes doesn't detect anything.

Edit: Some more research brought me to a DDos malware Xuhuan, but I haven't got the registry keys and other files mentioned my McAffe, as well as no firewall prompts from explorer.exe

Edit 2: Virustotal is filled with positive reports now, so I guess this is no longer an issue!

Answer 1

For what (little) it's worth, Malwarebytes now detects this as Trojan.Agent.Trace (their generic "this is nasty but we don't know what virus it's from" name). I found it on my system, which is a hardwired desktop. I live alone. I have no idea how it got there, so this is all pretty chilling.

Reminds me of the old classic 90s viruses. They weren't out to seal your credit card info or use your computer to mine, they just wanna mess with your windows install.

Answer 2

Let's go through this one line at at time.

@Echo Off

The commands of the batch script won't be printed to the console when they are run.

cd /d C:\Windows\SysWOW64\

The script navigates to the SysWOW64 folder on your C:\ drive. The /d switch makes the script change the current drive to C:\ should it be different.

:Start

This is a label which is referred to later.

del svchost.exe

If svchost.exe exists in the current directory, delete it. This does not send it to the Recycle Bin; it is gone forever unless you get lucky with file recovery software. Note that this deletes the svchost.exe executable that is used for 32-bit services running on a 64-bit system. svchost.exe also resides in your System32 folder, which on a 64-bit system is used for 64-bit services (while on a 32-bit system it is used for 32-bit services).

If Exist svchost.exe Goto Start

If svchost.exe still exists for whatever reason, the script will loop back round to the :Start label defined earlier, and then it'll try to run del svchost.exe again until it has been deleted.

del %0

Once svchost.exe has been deleted, the If statement will not loop back round to the label, and instead run this. Normally, this will make the script delete its own file, however according to this comment on an SO answer this'll not work as the current path would have changed?

I wouldn't run it if you value your operating system.

As for it draining your battery, I can see it running endlessly if it can't delete svchost.exe (lacking elevation, file in use?). In this case, the script would be trying to delete the file hundreds if not thousands of times a second; I can see that thrashing your hard drive exhausting your CPU (thanks Sampo for the correction!), thus draining your battery.

Answer 3

This file is not a virus. It deletes "svchost.exe" file only, and tries to perform task(delete) if this file still exists.