MD5 Virus Hashes - Printable Version
-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Skype & Technology (/forumdisplay.php?fid=9)
+---- Forum: Tech Talk (/forumdisplay.php?fid=17)
+----- Thread: MD5 Virus Hashes (/showthread.php?tid=53894)
MD5 Virus Hashes by DJeX on 12-14-2005 at 03:57 AM
How could I get the MD5 hashes of MSN Messenger viruses with out actually finding the virus, downloaidng and running it then hashing the files my self?
Is there a site maybe?
RE: MD5 Virus Hashes by Eljay on 12-14-2005 at 12:03 PM
why would you need to run it to hash it?
RE: MD5 Virus Hashes by Ezra on 12-14-2005 at 01:45 PM
To create a simple virusscanner maybe?
And, I have no idea, sorry...
Tried google?
EDIT: Read Eljay's post wrong 
nvm 
RE: MD5 Virus Hashes by RaceProUK on 12-14-2005 at 02:02 PM
If you know the type of the virus, do the various anti-virus databases have the hashes?
RE: RE: MD5 Virus Hashes by segosa on 12-14-2005 at 06:28 PM
quote:
Originally posted by raceprouk
If you know the type of the virus, do the various anti-virus databases have the hashes?
I've never seen a single AV database/site tell you the hashes unfortunately.
RE: MD5 Virus Hashes by CookieRevised on 12-14-2005 at 11:10 PM
quote:indeed. To calculate a hash you don't need to run anything.Hashes are calculated from data. Running a file and calculating a hash are two totally different and totally unrelated things.
Originally posted by Eljay
why would you need to run it to hash it?
quote:indeed. Because virusses are not detected by "hashes" but by "signatures".
Originally posted by segosa
quote:I've never seen a single AV database/site tell you the hashes unfortunately.
Originally posted by raceprouk
If you know the type of the virus, do the various anti-virus databases have the hashes?
quote:Having them wont do anything good TBH.
Originally posted by DJeX
How could I get the MD5 hashes of MSN Messenger viruses with out actually finding the virus, downloaidng and running it then hashing the files my self?
Is there a site maybe?
A virus quite often (also MSN Messenger virusses) comes in different flavors. This means you need to have many hashes to identify the same virus. Not to mention it is extremely easy to simply edit 1 single byte in the infected file or virus file and the "hash-detection" wouldn't detect the file at all as a virus.
Also, some virusses infect programs. This means you must have billions of hashes for such a virus.
Virusses are not detected with hashes (well, not in the strict sense). They are detected by signatures. A signature could be a hash, but in almost all case it is not.
You could use hashes, but the hash would only be calculated from certain bytes within the file, not from all bytes (like 99,99999999% of all (MD5) hashes are calculated). And the location of those bytes quite often is different from infected file to infected file.
In short: it is quite useless to have them....
when I talk about a hash in this post, I mean a hash as calculated by almost all programs, thus from offset 0 to offset <LOF> of the file.
RE: MD5 Virus Hashes by DJeX on 12-14-2005 at 11:14 PM
quote:
Originally posted by CookieRevised
They are detected by signatures.
Ok then tell me how to do this.
RE: RE: MD5 Virus Hashes by CookieRevised on 12-14-2005 at 11:20 PM
quote:Compare a not infected file with an infected file. The difference is your virus. Do this for multiple infected files (from the same virus) and the common same bytes are your signature. This is extremely simple explained though, but it is the basic principle.
Originally posted by DJeX
quote:Ok then tell me how to do this.
Originally posted by CookieRevised
They are detected by signatures.
To make proper signatures, you must be very fluent in hex editing, understanding executable file formats, knowing ASM, etc.. etc.. In other words, you must have a deep knowledge of how programs are executed and stuff. In fact, what you ask is exactly what professional virus companies do
RE: MD5 Virus Hashes by DJeX on 12-15-2005 at 12:50 AM
Ahh I see
* DJeX Crosses 'MSN Virus Removal program' off his future programs to code list.
* DJeX Moves on to SpyWare remover... but relises it's almost the same as spy ware *crosses that off list*.