| |
chatGPZ
Registered: Dec 2001
Posts: 11350 |
Making a Virus Scanner - info needed
as some of you might know i made a little util to scan the disks i transfered for errors (D64scan V0.2). now after reading latest discussions about various virii on the c64 i thought it would be a useful feature to add virus detection (and possibly elimination) to that tool aswell...
so the question is, who has detailed info on that subject? useful info would be
- what virii do exist
- how did said virii work
- what are existing scanners/cleaners, and how do they work
- how do those virii "initially" install (i only know about that bhp virus "installer")
...etc.
at the very least, i'd need a bunch of "infected" disks (or well, d64s of them), but ofcourse any further info would make things a lot easier :)
anyone? |
|
| |
Scout
Registered: Dec 2002
Posts: 1570 |
also, do polymorphic virii exist for the C64?
Huh?
Well...
inc memoryaddress
does the same as
lda memoryaddress
clc
adc #1
sta memoryaddress
There are some more tricks to do the same as above which could be easily implemented in a virus.
It makes it also (somewhat) harder to create a virus-signature because the virus-code of the same virus changes everytime.
Interesting stuff! |
| |
Scout
Registered: Dec 2002
Posts: 1570 |
This might be interesting too:
http://pferrie.tripod.com/papers/bhp.pdf |
| |
Quetzal
Registered: Jul 2002
Posts: 71 |
Groepaz: I made a simple detection/cleaner util for the STARFIRE virus many years ago. I've recently found it again on one of my disks and after I tidy up the menu code/message display etc. I intend uploading it here.
That virus worked by scanning the directory for uninfected programs, grabbing the track + sector link to said prg and replacing it with a T+S link to a copy of the virus (which allocated each copy of itself 2 sectors on the disk more or less at random, thus REALLY screwing up files at times), the original T+S link was placed in the 2nd sector of the virus, so the original prg was then appended after it. Next time that prg was run, after the virus finished its work, a simple memory move to $0801 and a RUN, started the main prg. Can't recall exactly, but I think it also patched various vectors such as LOAD, RUNSTOP/RESTORE etc, giving more chances to be activated, this seems to be a common idea in C64 virus.
If you look at the FROGS virus, I think you can guess how most were originally spread, by being hidden in hacked tools. Hiding it in a cruncher seems a rather clever idea as the result is not going to be easy to scan for at all, we almost have an example of a polymorphic virus there I guess.
|
| |
Stan
Account closed
Registered: Apr 2004
Posts: 187 |
Quote: as some of you might know i made a little util to scan the disks i transfered for errors (D64scan V0.2). now after reading latest discussions about various virii on the c64 i thought it would be a useful feature to add virus detection (and possibly elimination) to that tool aswell...
so the question is, who has detailed info on that subject? useful info would be
- what virii do exist
- how did said virii work
- what are existing scanners/cleaners, and how do they work
- how do those virii "initially" install (i only know about that bhp virus "installer")
...etc.
at the very least, i'd need a bunch of "infected" disks (or well, d64s of them), but ofcourse any further info would make things a lot easier :)
anyone?
BHP - Bayerische Hackerpost... ;) |
| |
Fungus
Registered: Sep 2002
Posts: 680 |
there is AIDS virus too, didn't crossbow code that?
|
| |
chatGPZ
Registered: Dec 2001
Posts: 11350 |
sure you arent confusing that with the HIV virus? |
| |
FMan
Account closed
Registered: Dec 2003
Posts: 66 |
The BHP article in PDF that scout linked is a good read, but it contains lots of errors and inaccuracies. However, if you know your stuff, you'll know what it says. It fails to describe the exact operation, though. |
| |
Quetzal
Registered: Jul 2002
Posts: 71 |
Quote: <Post censored by CSDb staff>
Seems a little counter-productive. I can understand you not wanting these type of things to get spread, but the risk of them doing much damage on C64 is really low anyway. Groepaz is offering here to write a program that would actually help eradicate them, you could at least send them to him and help out. |
| |
Trazan
Registered: Apr 2002
Posts: 620 |
Your post adds no value in this thread, Sorry to say Baracuda. Dont troll. PLEASE! |
| |
BAR.
Account closed
Registered: Apr 2002
Posts: 324 |
Quote: Your post adds no value in this thread, Sorry to say Baracuda. Dont troll. PLEASE!
when i say that Roland coded the hiv2 and he can ask the coder about, what is wrong ?
|
| |
Trazan
Registered: Apr 2002
Posts: 620 |
...As said...Adds no value to the thread - I very much doubt Groepaz or anyone here is dumb enough not to ask the author himself.
(Please, do not question just anything there is...) |
| |
BAR.
Account closed
Registered: Apr 2002
Posts: 324 |
Quote: ...As said...Adds no value to the thread - I very much doubt Groepaz or anyone here is dumb enough not to ask the author himself.
(Please, do not question just anything there is...)
oh you can censor it and be sure for every post been censored i ask another admin to take a closer look why it was censored.. LIKE IN THE PAST.. |
| |
Trazan
Registered: Apr 2002
Posts: 620 |
Yes, please do ask the other moderators for my reasons, but DO please stop trolling in the forums. I did remove a gazillion other posts from this forum, that YOU did complain about (read Stashs posts), so please, unless you add value to this thread - back off. Please! |
| |
BAR.
Account closed
Registered: Apr 2002
Posts: 324 |
Quote: Yes, please do ask the other moderators for my reasons, but DO please stop trolling in the forums. I did remove a gazillion other posts from this forum, that YOU did complain about (read Stashs posts), so please, unless you add value to this thread - back off. Please!
ok, will not tell more about stuff others don't know..
As in your eyes it is trolling.. |
| |
CreaMD
Registered: Dec 2001
Posts: 3047 |
Baracuda: I read this thread too coz I find it interesting and I also think that the censored posts of yours (and others) had no value.
For many years already there is important unwritten rule of the forums. Dont' discuss with admins.
Just don't.
|
| |
chatGPZ
Registered: Dec 2001
Posts: 11350 |
Quote: Baracuda: I read this thread too coz I find it interesting and I also think that the censored posts of yours (and others) had no value.
For many years already there is important unwritten rule of the forums. Dont' discuss with admins.
Just don't.
i tend to disagree. please DO discuss with the admins, but please DO IT IN PM!
o_O |
| |
CreaMD
Registered: Dec 2001
Posts: 3047 |
Quote: i tend to disagree. please DO discuss with the admins, but please DO IT IN PM!
o_O
I hatr you! (even more) ;-)) |
| |
chatGPZ
Registered: Dec 2001
Posts: 11350 |
Quote: I hatr you! (even more) ;-))
<3 *hug* |
| |
chatGPZ
Registered: Dec 2001
Posts: 11350 |
i have made a little textfile containing what i found so far.... any further info and help welcomed. -> http://hitmen.c02.at/files/docs/c64/C64_Virus_List.txt
thanks to the ppl who helped so far (you know who you are) |
| |
BAR.
Account closed
Registered: Apr 2002
Posts: 324 |
Quote: i have made a little textfile containing what i found so far.... any further info and help welcomed. -> http://hitmen.c02.at/files/docs/c64/C64_Virus_List.txt
thanks to the ppl who helped so far (you know who you are)
As Roland now gave you the HIV2, you can be sure it is not
outhere, as i never spread it around.. :) |
| |
chatGPZ
Registered: Dec 2001
Posts: 11350 |
Quote:As Roland now gave you the HIV2, you can be sure it is not outhere, as i never spread it around.. :)
other people told me about this years before you know...
also since roland posted it in a public forum, it now certainly IS out there =P |
| |
BAR.
Account closed
Registered: Apr 2002
Posts: 324 |
Quote: Quote:As Roland now gave you the HIV2, you can be sure it is not outhere, as i never spread it around.. :)
other people told me about this years before you know...
also since roland posted it in a public forum, it now certainly IS out there =P
"Sauhund" it is now out...
But be sure it was never before..
But understand me why i told you to ask the coder himself..
Now it's not so dangerous as you know how it works.
He never spread the file or did he ?
He only talked about after you were asking around or am i wrong ?
|
| |
chatGPZ
Registered: Dec 2001
Posts: 11350 |
whats so hard to understand in
Quote:
other people told me about this years before you know...
?
and if you read that thread roland posted the virus in, you can also see that roland isnt sure himself if he released it before. |
| |
BAR.
Account closed
Registered: Apr 2002
Posts: 324 |
Quote: whats so hard to understand in
Quote:
other people told me about this years before you know...
?
and if you read that thread roland posted the virus in, you can also see that roland isnt sure himself if he released it before.
As told before Roland did not release it,
it was a "gift only to me", from a friend...
Could be that he forgot that.. ;)
Ok, we should now end here. |
| |
chatGPZ
Registered: Dec 2001
Posts: 11350 |
Quote:
So you where sure that it was no fake ?
what? ppl telling me he made an improved version of HIV? why the hell would that be "fake" ?
Quote:
So i don't understand why you asked me in 2007 for it ?
i always used a c64/drive/cartridge combination which resets the drive together with the c64 (again, as you can read in that thread *sigh*) - and thus all those virii were pretty much a non issue to me. i've never spent a minute thinking about them until now, simply as that.
|
| |
BAR.
Account closed
Registered: Apr 2002
Posts: 324 |
Quote: Quote:
So you where sure that it was no fake ?
what? ppl telling me he made an improved version of HIV? why the hell would that be "fake" ?
Quote:
So i don't understand why you asked me in 2007 for it ?
i always used a c64/drive/cartridge combination which resets the drive together with the c64 (again, as you can read in that thread *sigh*) - and thus all those virii were pretty much a non issue to me. i've never spent a minute thinking about them until now, simply as that.
A hint how to identify a HIV infected disk...
The directory will load slowly after the virus had infected a disk.. It is at first a file infected and then after that the virus linked directly to track18. If all is done, the files
all on disk and the track 18 is infected. That's the reason while it load slowly.. |
| |
chatGPZ
Registered: Dec 2001
Posts: 11350 |
thats not quite right. the directory will load slowly *if the virus is active*, ie if you run some infected program before and didnt reset the drive before loading the directory again. if you didnt run some infected program before, the directory will ofcourse load at normal speed and no harm will be done either. |
| |
BAR.
Account closed
Registered: Apr 2002
Posts: 324 |
Quote: thats not quite right. the directory will load slowly *if the virus is active*, ie if you run some infected program before and didnt reset the drive before loading the directory again. if you didnt run some infected program before, the directory will ofcourse load at normal speed and no harm will be done either.
A hint how to identify a HIV infected disk...
means the virus is active or am i wrong ?
Please read again.. ;) |
| |
chatGPZ
Registered: Dec 2001
Posts: 11350 |
Quote:A hint how to identify a HIV infected disk...
means the virus is active or am i wrong ?
yes you are, and if you read my answer again you might even understand why o_O |
| |
BAR.
Account closed
Registered: Apr 2002
Posts: 324 |
Quote: Quote:A hint how to identify a HIV infected disk...
means the virus is active or am i wrong ?
yes you are, and if you read my answer again you might even understand why o_O
deleted.. |
| |
AlexC
Registered: Jan 2008
Posts: 298 |
I wonder: did anyone actually ever found a sample of Coder-Virus? |
| |
iAN CooG
Registered: May 2002
Posts: 3186 |
sure, grab while it lasts
https://www.dropbox.com/s/bqbk2rkfxobmd04/codervirus.rar?dl=0
contains both a d64 with 2 infected prgs and one extracted infected prg.
Unp64 and d64vrm can be used to disinfect them. |
| |
AlexC
Registered: Jan 2008
Posts: 298 |
Quote: sure, grab while it lasts
https://www.dropbox.com/s/bqbk2rkfxobmd04/codervirus.rar?dl=0
contains both a d64 with 2 infected prgs and one extracted infected prg.
Unp64 and d64vrm can be used to disinfect them.
Thank you! I've been looking for it to confirm it for some time already. |
| |
trent
Registered: Apr 2015
Posts: 12 |
While as far as I know never in the wild, and this source code is benign, the author of this code posted it up some time ago (e.g. someone may have made a variant, however unlikely). Only GEOS virus I ever heard of; but would qualify for this thread; it's a file infector.
http://www.lyonlabs.org/commodore/onrequest/geos/ShadowVirusS.t..
Details of method of operation at the bottom of this page;
http://www.lyonlabs.org/commodore/onrequest/geos.html#exotica |
| |
The Phantom
Registered: Jan 2004
Posts: 360 |
Groepaz - I know nothing, but have some c64 virus stuffs you may want.
I have a document (pdf) on BHP, it's payload and how to avoid it.
Then I have the following:
BCS 1.64
Bula 6.13
Bula 8.32
C.bar.de
And, of course, BHP.
Not sure if any of it would be of use, but if so, make sure you PM me and I'll send them to whatever email address you give. |
| |
The Phantom
Registered: Jan 2004
Posts: 360 |
The PDF looks to be the same Scout posted at the start. |
| |
Danzig
Registered: Jun 2002
Posts: 440 |
Anyone ever faced a "virus" that copied 2 files on a disk namely ">" and "<". It then changed track 18 so that load"$",8 list just returns load">",8,1.
if you place the cursor on that line and press return you get the directory listing with always the same diskname (something like "visual soft works" or the like, dunno remember exactly). IIRC you can just move the cursor on an entry and press return to load the file. And IIRRC it was also turbo loader.
1.) if you insert another disk into the drive it gets "infected" immediate
2.) it could also lead to "broken disks". I once inserted Zak McCracken into the drive for testing purpose and it mangled the disk.
3.) only way to remove the "virus" was to repair the directory with a disk monitor.
4.) It hides the files ">" and "<" while listing the directory
Anyone? |
| |
AlexC
Registered: Jan 2008
Posts: 298 |
Ok, so I've been able to locate most of infected disk/prgs: I'm still missing those two:
HIV2
Starfire
I'm also looking for more sample of HIV1 virus. I know I could download the source code from codebase64 but I don't want to create new variants by accident so I'd prefer to find disk images or prgs. If anyone has those file please share. Thanks in advance. |
| |
iAN CooG
Registered: May 2002
Posts: 3186 |
Candyland
ALL mirrors have the prg infected with HIV. Grab it while it lasts, needs to be replaced with a cleaned prg /me rolls eyes
No idea about HIV2 anyway. |
| |
bugjam
Registered: Apr 2003
Posts: 2579 |
@Danzig: That one sounds pretty cool, I hope it will be found. |
| |
Danzig
Registered: Jun 2002
Posts: 440 |
Quote: Anyone ever faced a "virus" that copied 2 files on a disk namely ">" and "<". It then changed track 18 so that load"$",8 list just returns load">",8,1.
if you place the cursor on that line and press return you get the directory listing with always the same diskname (something like "visual soft works" or the like, dunno remember exactly). IIRC you can just move the cursor on an entry and press return to load the file. And IIRRC it was also turbo loader.
1.) if you insert another disk into the drive it gets "infected" immediate
2.) it could also lead to "broken disks". I once inserted Zak McCracken into the drive for testing purpose and it mangled the disk.
3.) only way to remove the "virus" was to repair the directory with a disk monitor.
4.) It hides the files ">" and "<" while listing the directory
Anyone?
Yeah, sometimes things just don't let you sleep :D
I found the fucker on an old .D64 of mine (after manually checking ~700 Disks, hints for a good search tool are welcome ;) ).. So if anyone is interested, leave me a pm. I can isolate the 2 files and send it via e-mail!
I hope someone can shed some light on it (who did it, when was it done (my guess: somewhen 1987?)).
Cheers! |
| |
bugjam
Registered: Apr 2003
Posts: 2579 |
Cool. :-) |
| |
Danzig
Registered: Jun 2002
Posts: 440 |
I copied the 2 files to an empty .d64 and "activated" it by executing load">",8,1.
It says Visual--Arts in the header. So I created an entry for the group and the Virus
Edit: Why did I create a new group entry? Because I have no doubt: this was not released by Visual Arts |
| |
bugjam
Registered: Apr 2003
Posts: 2579 |
Is it known which one is the virus mentioned here Virus Warning!? |
| |
Scan
Registered: Dec 2015
Posts: 111 |
Not sure whether you people are still interested in Commodore 64 viruses, but here you can download a new one. The zip file contains the fully documented source code (64tass compatible) and a .d64 image on which the 2nd file (with the picture of the trollface) is infected.
Bit Addict Virus |
