| |
chatGPZ
Registered: Dec 2001
Posts: 11360 |
Making a Virus Scanner - info needed
as some of you might know i made a little util to scan the disks i transfered for errors (D64scan V0.2). now after reading latest discussions about various virii on the c64 i thought it would be a useful feature to add virus detection (and possibly elimination) to that tool aswell...
so the question is, who has detailed info on that subject? useful info would be
- what virii do exist
- how did said virii work
- what are existing scanners/cleaners, and how do they work
- how do those virii "initially" install (i only know about that bhp virus "installer")
...etc.
at the very least, i'd need a bunch of "infected" disks (or well, d64s of them), but ofcourse any further info would make things a lot easier :)
anyone? |
|
| |
Scout
Registered: Dec 2002
Posts: 1570 |
also, do polymorphic virii exist for the C64?
Huh?
Well...
inc memoryaddress
does the same as
lda memoryaddress
clc
adc #1
sta memoryaddress
There are some more tricks to do the same as above which could be easily implemented in a virus.
It makes it also (somewhat) harder to create a virus-signature because the virus-code of the same virus changes everytime.
Interesting stuff! |
| |
Scout
Registered: Dec 2002
Posts: 1570 |
This might be interesting too:
http://pferrie.tripod.com/papers/bhp.pdf |
| |
Quetzal
Registered: Jul 2002
Posts: 71 |
Groepaz: I made a simple detection/cleaner util for the STARFIRE virus many years ago. I've recently found it again on one of my disks and after I tidy up the menu code/message display etc. I intend uploading it here.
That virus worked by scanning the directory for uninfected programs, grabbing the track + sector link to said prg and replacing it with a T+S link to a copy of the virus (which allocated each copy of itself 2 sectors on the disk more or less at random, thus REALLY screwing up files at times), the original T+S link was placed in the 2nd sector of the virus, so the original prg was then appended after it. Next time that prg was run, after the virus finished its work, a simple memory move to $0801 and a RUN, started the main prg. Can't recall exactly, but I think it also patched various vectors such as LOAD, RUNSTOP/RESTORE etc, giving more chances to be activated, this seems to be a common idea in C64 virus.
If you look at the FROGS virus, I think you can guess how most were originally spread, by being hidden in hacked tools. Hiding it in a cruncher seems a rather clever idea as the result is not going to be easy to scan for at all, we almost have an example of a polymorphic virus there I guess.
|
| |
Stan
Account closed
Registered: Apr 2004
Posts: 187 |
Quote: as some of you might know i made a little util to scan the disks i transfered for errors (D64scan V0.2). now after reading latest discussions about various virii on the c64 i thought it would be a useful feature to add virus detection (and possibly elimination) to that tool aswell...
so the question is, who has detailed info on that subject? useful info would be
- what virii do exist
- how did said virii work
- what are existing scanners/cleaners, and how do they work
- how do those virii "initially" install (i only know about that bhp virus "installer")
...etc.
at the very least, i'd need a bunch of "infected" disks (or well, d64s of them), but ofcourse any further info would make things a lot easier :)
anyone?
BHP - Bayerische Hackerpost... ;) |
| |
Fungus
Registered: Sep 2002
Posts: 680 |
there is AIDS virus too, didn't crossbow code that?
|
| |
chatGPZ
Registered: Dec 2001
Posts: 11360 |
sure you arent confusing that with the HIV virus? |
| |
FMan
Account closed
Registered: Dec 2003
Posts: 66 |
The BHP article in PDF that scout linked is a good read, but it contains lots of errors and inaccuracies. However, if you know your stuff, you'll know what it says. It fails to describe the exact operation, though. |
... 57 posts hidden. Click here to view all posts....
|
| Previous - 1 | 2 | 3 | 4 | 5 | 6 | 7 - Next |
