• Welcome to Valhalla Legends Archive.
 

Hash files

Started by pianka, November 01, 2003, 06:47 PM

Previous topic - Next topic
Print
|
Go Down Pages 1 2
User actions

iago

#15
November 03, 2003, 02:29 AM
I've seen one that overwrites programs with itself, but that's it :)
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Skywing

#16
November 03, 2003, 06:05 AM
Quote from: iago on November 03, 2003, 02:29 AM
I've seen one that overwrites programs with itself, but that's it :)
A fairly common tactic is to extend .text or add a new section, and rewrite the entrypoint field to point to where the virus code is stored.  The virus can then do whatever (e.g. creating a new thread to do it's work, or doing it's work directly) before the original program runs.

iago

#17
November 03, 2003, 08:52 AM
I guess now that I think about it, associating .exe's with itself sort've does what you're talking about, but it would still show up on the process list.

I'm not arguing with what you're saying, though, it does sound like a very possible and clever way of implementing a virus; I've just never seen or heard of anybody do it before.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Skywing

#18
November 03, 2003, 09:50 AM Last Edit: November 03, 2003, 09:55 AM by Skywing
Quote from: iago on November 03, 2003, 08:52 AM
I guess now that I think about it, associating .exe's with itself sort've does what you're talking about, but it would still show up on the process list.

I'm not arguing with what you're saying, though, it does sound like a very possible and clever way of implementing a virus; I've just never seen or heard of anybody do it before.
That's fairly surprising, I think - I've always thought the classic virus was something that infected other programs.

Note that the statement which you originally replied to was:
"That doesn't really tell you much.  There are a number of techniques that could allow a virus to run in some other process, or even not show up as a process at all (e.g. kernel mode driver)."
In particular, meaning that the virus would not necessarily have to have it's own dedicated process to function.  It could, for instance, be running in explorer.exe, along with the "real" explorer.

iago

#19
November 03, 2003, 12:38 PM
I guess the problem is that I haven't had a lot of experience with viruses in general.  I've only actually seen one, and it was written in VBScript and didn't do much other than change, say, *.mp3 to *.mp3.exe, and replace it with itself.  
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Michael

#20
November 03, 2003, 02:00 PM
Quote from: iago on November 03, 2003, 12:38 PM
I guess the problem is that I haven't had a lot of experience with viruses in general.  I've only actually seen one, and it was written in VBScript and didn't do much other than change, say, *.mp3 to *.mp3.exe, and replace it with itself.  
Arent most birus ment to spead throw out the web so that they can damage more then one computer?

Skywing

#21
November 03, 2003, 02:03 PM
Quote from: -MichaeL- on November 03, 2003, 02:00 PM
Quote from: iago on November 03, 2003, 12:38 PM
I guess the problem is that I haven't had a lot of experience with viruses in general.  I've only actually seen one, and it was written in VBScript and didn't do much other than change, say, *.mp3 to *.mp3.exe, and replace it with itself.  
Arent most birus ment to spead throw out the web so that they can damage more then one computer?
No.  Those are worms.

iago

#22
November 03, 2003, 04:19 PM
Virii replicate themselves, by definition, not necessarely spread to different computers.

This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Adron

#23
November 04, 2003, 04:38 PM
Virii typically infect files or boot sectors and require user interaction to be started. Trojans typically don't modify other files, rather just send themselves out in multiple copies. Worms typically spread themselves noninteractively so they can infect a large number of computers even if the operators are sleeping.

iago

#24
November 04, 2003, 05:04 PM
Quote from: Adron on November 04, 2003, 04:38 PM
Virii typically infect files or boot sectors and require user interaction to be started. Trojans typically don't modify other files, rather just send themselves out in multiple copies. Worms typically spread themselves noninteractively so they can infect a large number of computers even if the operators are sleeping.

So if the operators stay awake, they're safe!  So lots of coffee = no worms!
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Adron

#25
November 05, 2003, 01:20 PM
Quote from: iago on November 04, 2003, 05:04 PM
Quote from: Adron on November 04, 2003, 04:38 PM
even if the operators are sleeping.

So if the operators stay awake, they're safe!  So lots of coffee = no worms!

even != only

iago

#26
November 05, 2003, 04:08 PM Last Edit: November 05, 2003, 04:08 PM by iago
Quote from: Adron on November 05, 2003, 01:20 PM
Quote from: iago on November 04, 2003, 05:04 PM
Quote from: Adron on November 04, 2003, 04:38 PM
even if the operators are sleeping.

So if the operators stay awake, they're safe!  So lots of coffee = no worms!

even != only

I know:P
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Print
|
Go Up Pages 1 2
User actions