The above is a shorter alternative code. To better understand how the Fork Bomb Batch File virus works let us change the code so that you can understand from a beginner level what the batch file is doing. Note, this new code does EXACTLY the same thing as the code above just beginner level code for us to understand:
The Fork Bomb Batch File Virus Explained Step by Step (How does it work?)
:thestart start %0 goto thestart
1) The first line creates a label named :thestart as you already know a label in a batch file is a point in the batch file that once a goto thestart would jump batch file execution to that label name (line).
2) The second line start %0 runs another copy (process) of itself (RUNME.BAT) note that this process is another copy in memory doing the exact same thing. Because %0 in a batch file specifies the file name of where %0 is used, in this case RUNME.BAT
3) The third and last line, goto thestart directs execution of the batch file to the specified label or line in the batch file (infinite loop with no exit). In this case execution of the current process of RUNME.BAT will go to line 1 again and then load ANOTHER process of RUNME.BAT in memory and do this process exponentially and, infinitely, or until memory resources overload and system crashes.
Symptoms after execution of Fork Bomb Batch File Virus code: (dependant on system resources)
- Machine will be sluggish at first.
- Machine might slow down.
- Machine might halt.
- Machine might restart.
- The environment (sandbox) your running in (if any) will terminate or restart.
Illustration of Fork Bomb Batch File Virus
Every program doubling itself is a form of exponential growth. After one iteration of the loop, two programs (21) are created. Another cycle, each of those two create another two for a total of four (22). Then after 10 iterations we have 1024 (210) instances of our little batch file. After 100 iterations we have 2100 = 1.267 nonillion, a number so big you don’t even know what ‘nonillion’ is (It’s 1030).
The first instance will likely not even complete 50 iterations before the system grinds to a halt and crashes. For such a simple script, each individual iteration would hardly take a few milliseconds, so the first few iterations complete very quickly and soon it becomes more than what the computer can handle.
Is there a way to protect against fork bombs? Yes.
Any antivirus would be able to scan this suspicious executable file and warn the user before execution. As a fork bomb’s mode of operation is entirely dependent on being able to create new processes, one way of preventing a fork bomb from severely affecting the entire system is to limit the maximum number of processes that a single user may own. On Linux, this can be achieved by using the ulimit utility; for example, the command ulimit -u 30 would limit the affected user to a maximum of thirty owned processes.
Tap the toggle below if you’re interested in checking out the code for fork bomb in other common languages/scripts.
Coding Autorun.inf Script Virus
Introduction to Batch File Viruses
Protect Your Site from Malicious Requests