Log inRegister an accountBrowse CSDbHelp & documentationFacts & StatisticsThe forumsAvailable RSS-feeds on CSDbSupport CSDb Commodore 64 Scene Database
 Welcome to our latest new user Harvey ! (Registered 2024-11-25) You are not logged in - nap
CSDb User Forums


Forums > C64 Productions > Making a Virus Scanner - info needed
2007-06-03 09:46
chatGPZ

Registered: Dec 2001
Posts: 11360
Making a Virus Scanner - info needed

as some of you might know i made a little util to scan the disks i transfered for errors (D64scan V0.2). now after reading latest discussions about various virii on the c64 i thought it would be a useful feature to add virus detection (and possibly elimination) to that tool aswell...

so the question is, who has detailed info on that subject? useful info would be
- what virii do exist
- how did said virii work
- what are existing scanners/cleaners, and how do they work
- how do those virii "initially" install (i only know about that bhp virus "installer")

...etc.

at the very least, i'd need a bunch of "infected" disks (or well, d64s of them), but ofcourse any further info would make things a lot easier :)

anyone?
2007-06-03 10:17
Scout

Registered: Dec 2002
Posts: 1570
also, do polymorphic virii exist for the C64?

Huh?
Well...

inc memoryaddress


does the same as

lda memoryaddress
clc
adc #1
sta memoryaddress


There are some more tricks to do the same as above which could be easily implemented in a virus.
It makes it also (somewhat) harder to create a virus-signature because the virus-code of the same virus changes everytime.

Interesting stuff!
2007-06-03 10:33
Scout

Registered: Dec 2002
Posts: 1570
This might be interesting too:

http://pferrie.tripod.com/papers/bhp.pdf
2007-06-03 12:03
Quetzal

Registered: Jul 2002
Posts: 71
Groepaz: I made a simple detection/cleaner util for the STARFIRE virus many years ago. I've recently found it again on one of my disks and after I tidy up the menu code/message display etc. I intend uploading it here.

That virus worked by scanning the directory for uninfected programs, grabbing the track + sector link to said prg and replacing it with a T+S link to a copy of the virus (which allocated each copy of itself 2 sectors on the disk more or less at random, thus REALLY screwing up files at times), the original T+S link was placed in the 2nd sector of the virus, so the original prg was then appended after it. Next time that prg was run, after the virus finished its work, a simple memory move to $0801 and a RUN, started the main prg. Can't recall exactly, but I think it also patched various vectors such as LOAD, RUNSTOP/RESTORE etc, giving more chances to be activated, this seems to be a common idea in C64 virus.

If you look at the FROGS virus, I think you can guess how most were originally spread, by being hidden in hacked tools. Hiding it in a cruncher seems a rather clever idea as the result is not going to be easy to scan for at all, we almost have an example of a polymorphic virus there I guess.
2007-06-03 14:41
Stan
Account closed

Registered: Apr 2004
Posts: 187
Quote: as some of you might know i made a little util to scan the disks i transfered for errors (D64scan V0.2). now after reading latest discussions about various virii on the c64 i thought it would be a useful feature to add virus detection (and possibly elimination) to that tool aswell...

so the question is, who has detailed info on that subject? useful info would be
- what virii do exist
- how did said virii work
- what are existing scanners/cleaners, and how do they work
- how do those virii "initially" install (i only know about that bhp virus "installer")

...etc.

at the very least, i'd need a bunch of "infected" disks (or well, d64s of them), but ofcourse any further info would make things a lot easier :)

anyone?


BHP - Bayerische Hackerpost... ;)
2007-06-03 19:54
Fungus

Registered: Sep 2002
Posts: 680
there is AIDS virus too, didn't crossbow code that?
2007-06-04 11:04
chatGPZ

Registered: Dec 2001
Posts: 11360
sure you arent confusing that with the HIV virus?
2007-06-04 21:53
FMan
Account closed

Registered: Dec 2003
Posts: 66
The BHP article in PDF that scout linked is a good read, but it contains lots of errors and inaccuracies. However, if you know your stuff, you'll know what it says. It fails to describe the exact operation, though.
2007-06-06 14:06
Quetzal

Registered: Jul 2002
Posts: 71
Quote: <Post censored by CSDb staff>

Seems a little counter-productive. I can understand you not wanting these type of things to get spread, but the risk of them doing much damage on C64 is really low anyway. Groepaz is offering here to write a program that would actually help eradicate them, you could at least send them to him and help out.
2007-06-06 14:30
Trazan

Registered: Apr 2002
Posts: 620
Your post adds no value in this thread, Sorry to say Baracuda. Dont troll. PLEASE!
2007-06-06 14:35
BAR.
Account closed

Registered: Apr 2002
Posts: 324
Quote: Your post adds no value in this thread, Sorry to say Baracuda. Dont troll. PLEASE!

when i say that Roland coded the hiv2 and he can ask the coder about, what is wrong ?

2007-06-06 14:40
Trazan

Registered: Apr 2002
Posts: 620
...As said...Adds no value to the thread - I very much doubt Groepaz or anyone here is dumb enough not to ask the author himself.

(Please, do not question just anything there is...)
2007-06-06 14:43
BAR.
Account closed

Registered: Apr 2002
Posts: 324
Quote: ...As said...Adds no value to the thread - I very much doubt Groepaz or anyone here is dumb enough not to ask the author himself.

(Please, do not question just anything there is...)


oh you can censor it and be sure for every post been censored i ask another admin to take a closer look why it was censored.. LIKE IN THE PAST..
2007-06-06 14:48
Trazan

Registered: Apr 2002
Posts: 620
Yes, please do ask the other moderators for my reasons, but DO please stop trolling in the forums. I did remove a gazillion other posts from this forum, that YOU did complain about (read Stashs posts), so please, unless you add value to this thread - back off. Please!
2007-06-06 14:50
BAR.
Account closed

Registered: Apr 2002
Posts: 324
Quote: Yes, please do ask the other moderators for my reasons, but DO please stop trolling in the forums. I did remove a gazillion other posts from this forum, that YOU did complain about (read Stashs posts), so please, unless you add value to this thread - back off. Please!

ok, will not tell more about stuff others don't know..
As in your eyes it is trolling..
2007-06-06 15:04
CreaMD

Registered: Dec 2001
Posts: 3051
Baracuda: I read this thread too coz I find it interesting and I also think that the censored posts of yours (and others) had no value.

For many years already there is important unwritten rule of the forums. Dont' discuss with admins.

Just don't.

2007-06-06 16:11
chatGPZ

Registered: Dec 2001
Posts: 11360
Quote: Baracuda: I read this thread too coz I find it interesting and I also think that the censored posts of yours (and others) had no value.

For many years already there is important unwritten rule of the forums. Dont' discuss with admins.

Just don't.



i tend to disagree. please DO discuss with the admins, but please DO IT IN PM!

o_O
2007-06-06 16:38
CreaMD

Registered: Dec 2001
Posts: 3051
Quote: i tend to disagree. please DO discuss with the admins, but please DO IT IN PM!

o_O


I hatr you! (even more) ;-))
2007-06-06 16:40
chatGPZ

Registered: Dec 2001
Posts: 11360
Quote: I hatr you! (even more) ;-))

<3 *hug*
2007-06-07 16:03
chatGPZ

Registered: Dec 2001
Posts: 11360
i have made a little textfile containing what i found so far.... any further info and help welcomed. -> http://hitmen.c02.at/files/docs/c64/C64_Virus_List.txt

thanks to the ppl who helped so far (you know who you are)
2007-06-09 19:54
BAR.
Account closed

Registered: Apr 2002
Posts: 324
Quote: i have made a little textfile containing what i found so far.... any further info and help welcomed. -> http://hitmen.c02.at/files/docs/c64/C64_Virus_List.txt

thanks to the ppl who helped so far (you know who you are)


As Roland now gave you the HIV2, you can be sure it is not
outhere, as i never spread it around.. :)
2007-06-09 19:57
chatGPZ

Registered: Dec 2001
Posts: 11360
Quote:
As Roland now gave you the HIV2, you can be sure it is not outhere, as i never spread it around.. :)


other people told me about this years before you know...

also since roland posted it in a public forum, it now certainly IS out there =P
2007-06-09 20:02
BAR.
Account closed

Registered: Apr 2002
Posts: 324
Quote: Quote:
As Roland now gave you the HIV2, you can be sure it is not outhere, as i never spread it around.. :)


other people told me about this years before you know...

also since roland posted it in a public forum, it now certainly IS out there =P


"Sauhund" it is now out...

But be sure it was never before..
But understand me why i told you to ask the coder himself..
Now it's not so dangerous as you know how it works.

He never spread the file or did he ?
He only talked about after you were asking around or am i wrong ?
2007-06-09 20:07
chatGPZ

Registered: Dec 2001
Posts: 11360
whats so hard to understand in

Quote:

other people told me about this years before you know...


?

and if you read that thread roland posted the virus in, you can also see that roland isnt sure himself if he released it before.
2007-06-09 20:10
BAR.
Account closed

Registered: Apr 2002
Posts: 324
Quote: whats so hard to understand in

Quote:

other people told me about this years before you know...


?

and if you read that thread roland posted the virus in, you can also see that roland isnt sure himself if he released it before.



As told before Roland did not release it,
it was a "gift only to me", from a friend...
Could be that he forgot that.. ;)

Ok, we should now end here.
2007-06-09 20:18
chatGPZ

Registered: Dec 2001
Posts: 11360
Quote:

So you where sure that it was no fake ?


what? ppl telling me he made an improved version of HIV? why the hell would that be "fake" ?

Quote:

So i don't understand why you asked me in 2007 for it ?


i always used a c64/drive/cartridge combination which resets the drive together with the c64 (again, as you can read in that thread *sigh*) - and thus all those virii were pretty much a non issue to me. i've never spent a minute thinking about them until now, simply as that.
2007-06-09 20:26
BAR.
Account closed

Registered: Apr 2002
Posts: 324
Quote: Quote:

So you where sure that it was no fake ?


what? ppl telling me he made an improved version of HIV? why the hell would that be "fake" ?

Quote:

So i don't understand why you asked me in 2007 for it ?


i always used a c64/drive/cartridge combination which resets the drive together with the c64 (again, as you can read in that thread *sigh*) - and thus all those virii were pretty much a non issue to me. i've never spent a minute thinking about them until now, simply as that.


A hint how to identify a HIV infected disk...

The directory will load slowly after the virus had infected a disk.. It is at first a file infected and then after that the virus linked directly to track18. If all is done, the files
all on disk and the track 18 is infected. That's the reason while it load slowly..
2007-06-09 22:09
chatGPZ

Registered: Dec 2001
Posts: 11360
thats not quite right. the directory will load slowly *if the virus is active*, ie if you run some infected program before and didnt reset the drive before loading the directory again. if you didnt run some infected program before, the directory will ofcourse load at normal speed and no harm will be done either.
2007-06-09 22:13
BAR.
Account closed

Registered: Apr 2002
Posts: 324
Quote: thats not quite right. the directory will load slowly *if the virus is active*, ie if you run some infected program before and didnt reset the drive before loading the directory again. if you didnt run some infected program before, the directory will ofcourse load at normal speed and no harm will be done either.

A hint how to identify a HIV infected disk...

means the virus is active or am i wrong ?
Please read again.. ;)
2007-06-09 22:24
chatGPZ

Registered: Dec 2001
Posts: 11360
Quote:
A hint how to identify a HIV infected disk...

means the virus is active or am i wrong ?


yes you are, and if you read my answer again you might even understand why o_O
2007-06-09 22:33
BAR.
Account closed

Registered: Apr 2002
Posts: 324
Quote: Quote:
A hint how to identify a HIV infected disk...

means the virus is active or am i wrong ?


yes you are, and if you read my answer again you might even understand why o_O


deleted..
2015-04-17 19:57
AlexC

Registered: Jan 2008
Posts: 298
I wonder: did anyone actually ever found a sample of Coder-Virus?
2015-04-17 20:12
iAN CooG

Registered: May 2002
Posts: 3187
sure, grab while it lasts
https://www.dropbox.com/s/bqbk2rkfxobmd04/codervirus.rar?dl=0
contains both a d64 with 2 infected prgs and one extracted infected prg.
Unp64 and d64vrm can be used to disinfect them.
2015-04-17 20:59
AlexC

Registered: Jan 2008
Posts: 298
Quote: sure, grab while it lasts
https://www.dropbox.com/s/bqbk2rkfxobmd04/codervirus.rar?dl=0
contains both a d64 with 2 infected prgs and one extracted infected prg.
Unp64 and d64vrm can be used to disinfect them.


Thank you! I've been looking for it to confirm it for some time already.
2015-04-18 05:31
trent

Registered: Apr 2015
Posts: 12
While as far as I know never in the wild, and this source code is benign, the author of this code posted it up some time ago (e.g. someone may have made a variant, however unlikely). Only GEOS virus I ever heard of; but would qualify for this thread; it's a file infector.

http://www.lyonlabs.org/commodore/onrequest/geos/ShadowVirusS.t..

Details of method of operation at the bottom of this page;

http://www.lyonlabs.org/commodore/onrequest/geos.html#exotica
2015-04-19 02:19
The Phantom

Registered: Jan 2004
Posts: 360
Groepaz - I know nothing, but have some c64 virus stuffs you may want.

I have a document (pdf) on BHP, it's payload and how to avoid it.

Then I have the following:

BCS 1.64
Bula 6.13
Bula 8.32
C.bar.de
And, of course, BHP.

Not sure if any of it would be of use, but if so, make sure you PM me and I'll send them to whatever email address you give.
2015-04-19 02:21
The Phantom

Registered: Jan 2004
Posts: 360
The PDF looks to be the same Scout posted at the start.
2015-04-20 19:22
Danzig

Registered: Jun 2002
Posts: 440
Anyone ever faced a "virus" that copied 2 files on a disk namely ">" and "<". It then changed track 18 so that load"$",8 list just returns load">",8,1.
if you place the cursor on that line and press return you get the directory listing with always the same diskname (something like "visual soft works" or the like, dunno remember exactly). IIRC you can just move the cursor on an entry and press return to load the file. And IIRRC it was also turbo loader.

1.) if you insert another disk into the drive it gets "infected" immediate
2.) it could also lead to "broken disks". I once inserted Zak McCracken into the drive for testing purpose and it mangled the disk.
3.) only way to remove the "virus" was to repair the directory with a disk monitor.
4.) It hides the files ">" and "<" while listing the directory

Anyone?
2015-05-01 14:39
AlexC

Registered: Jan 2008
Posts: 298
Ok, so I've been able to locate most of infected disk/prgs: I'm still missing those two:

HIV2
Starfire

I'm also looking for more sample of HIV1 virus. I know I could download the source code from codebase64 but I don't want to create new variants by accident so I'd prefer to find disk images or prgs. If anyone has those file please share. Thanks in advance.
2015-05-02 11:59
iAN CooG

Registered: May 2002
Posts: 3187
Candyland
ALL mirrors have the prg infected with HIV. Grab it while it lasts, needs to be replaced with a cleaned prg /me rolls eyes
No idea about HIV2 anyway.
2015-05-02 12:25
bugjam

Registered: Apr 2003
Posts: 2583
@Danzig: That one sounds pretty cool, I hope it will be found.
2015-05-22 08:03
Danzig

Registered: Jun 2002
Posts: 440
Quote: Anyone ever faced a "virus" that copied 2 files on a disk namely ">" and "<". It then changed track 18 so that load"$",8 list just returns load">",8,1.
if you place the cursor on that line and press return you get the directory listing with always the same diskname (something like "visual soft works" or the like, dunno remember exactly). IIRC you can just move the cursor on an entry and press return to load the file. And IIRRC it was also turbo loader.

1.) if you insert another disk into the drive it gets "infected" immediate
2.) it could also lead to "broken disks". I once inserted Zak McCracken into the drive for testing purpose and it mangled the disk.
3.) only way to remove the "virus" was to repair the directory with a disk monitor.
4.) It hides the files ">" and "<" while listing the directory

Anyone?


Yeah, sometimes things just don't let you sleep :D

I found the fucker on an old .D64 of mine (after manually checking ~700 Disks, hints for a good search tool are welcome ;) ).. So if anyone is interested, leave me a pm. I can isolate the 2 files and send it via e-mail!

I hope someone can shed some light on it (who did it, when was it done (my guess: somewhen 1987?)).

Cheers!
2015-05-22 16:18
bugjam

Registered: Apr 2003
Posts: 2583
Cool. :-)
2015-05-23 20:21
Danzig

Registered: Jun 2002
Posts: 440
I copied the 2 files to an empty .d64 and "activated" it by executing load">",8,1.
It says Visual--Arts in the header. So I created an entry for the group and the Virus

Edit: Why did I create a new group entry? Because I have no doubt: this was not released by Visual Arts
2015-10-10 17:52
bugjam

Registered: Apr 2003
Posts: 2583
Is it known which one is the virus mentioned here Virus Warning!?
2015-12-18 15:38
Scan

Registered: Dec 2015
Posts: 111
Not sure whether you people are still interested in Commodore 64 viruses, but here you can download a new one. The zip file contains the fully documented source code (64tass compatible) and a .d64 image on which the 2nd file (with the picture of the trollface) is infected.

Bit Addict Virus
RefreshSubscribe to this thread:

You need to be logged in to post in the forum.

Search the forum:
Search   for   in  
All times are CET.
Search CSDb
Advanced
Users Online
Alakran_64
fegolhuzz
Mythus/Delysid
kbs/Pht/Lxt
Shake/Role
Bob/Censor Design
jmagic
celticdesign/G★P/M..
rexbeng
Holy Moses/Role
Higgie/Kraze/Slackers
Scooby/G★P/Light
wil
MagerValp/G★P
Facet/G★P ^ Bonzai
Guests online: 136
Top Demos
1 Next Level  (9.7)
2 13:37  (9.7)
3 Coma Light 13  (9.7)
4 Edge of Disgrace  (9.6)
5 Mojo  (9.6)
6 The Demo Coder  (9.6)
7 What Is The Matrix 2  (9.6)
8 Uncensored  (9.6)
9 Wonderland XIV  (9.6)
10 Comaland 100%  (9.6)
Top onefile Demos
1 Layers  (9.6)
2 Party Elk 2  (9.6)
3 Cubic Dream  (9.6)
4 Copper Booze  (9.6)
5 Libertongo  (9.5)
6 Rainbow Connection  (9.5)
7 Onscreen 5k  (9.5)
8 Morph  (9.5)
9 Dawnfall V1.1  (9.5)
10 It's More Fun to Com..  (9.5)
Top Groups
1 Performers  (9.3)
2 Booze Design  (9.3)
3 Oxyron  (9.3)
4 Nostalgia  (9.3)
5 Triad  (9.2)
Top Webmasters
1 Slaygon  (9.6)
2 Perff  (9.6)
3 Morpheus  (9.5)
4 Sabbi  (9.5)
5 CreaMD  (9.1)

Home - Disclaimer
Copyright © No Name 2001-2024
Page generated in: 0.106 sec.