Shoutbox

How could I get the MD5 hashes of MSN Messenger viruses with out actually finding the virus, downloaidng and running it then hashing the files my self?

Is there a site maybe?

why would you need to run it to hash it?

To create a simple virusscanner maybe?

And, I have no idea, sorry...

Tried google?

EDIT: Read Eljay's post wrong nvm

If you know the type of the virus, do the various anti-virus databases have the hashes?

quote:

---

Originally posted by raceprouk
If you know the type of the virus, do the various anti-virus databases have the hashes?

---

I've never seen a single AV database/site tell you the hashes unfortunately.

quote:

---

Originally posted by Eljay
why would you need to run it to hash it?

---

indeed. To calculate a hash you don't need to run anything.Hashes are calculated from data. Running a file and calculating a hash are two totally different and totally unrelated things.

quote:

---

Originally posted by segosa

quote:

---

Originally posted by raceprouk
If you know the type of the virus, do the various anti-virus databases have the hashes?

---

I've never seen a single AV database/site tell you the hashes unfortunately.

---

indeed. Because virusses are not detected by "hashes" but by "signatures".

quote:

---

Originally posted by DJeX
How could I get the MD5 hashes of MSN Messenger viruses with out actually finding the virus, downloaidng and running it then hashing the files my self?

Is there a site maybe?

---

Having them wont do anything good TBH.

A virus quite often (also MSN Messenger virusses) comes in different flavors. This means you need to have many hashes to identify the same virus. Not to mention it is extremely easy to simply edit 1 single byte in the infected file or virus file and the "hash-detection" wouldn't detect the file at all as a virus.

Also, some virusses infect programs. This means you must have billions of hashes for such a virus.

Virusses are not detected with hashes (well, not in the strict sense). They are detected by signatures. A signature could be a hash, but in almost all case it is not.

You could use hashes, but the hash would only be calculated from certain bytes within the file, not from all bytes (like 99,99999999% of all (MD5) hashes are calculated). And the location of those bytes quite often is different from infected file to infected file.

In short: it is quite useless to have them....

when I talk about a hash in this post, I mean a hash as calculated by almost all programs, thus from offset 0 to offset <LOF> of the file.

quote:

---

Originally posted by CookieRevised
They are detected by signatures.

---

Ok then tell me how to do this.

quote:

---

Originally posted by DJeX

quote:

---

Originally posted by CookieRevised
They are detected by signatures.

---

Ok then tell me how to do this.

---

Compare a not infected file with an infected file. The difference is your virus. Do this for multiple infected files (from the same virus) and the common same bytes are your signature. This is extremely simple explained though, but it is the basic principle.

To make proper signatures, you must be very fluent in hex editing, understanding executable file formats, knowing ASM, etc.. etc.. In other words, you must have a deep knowledge of how programs are executed and stuff. In fact, what you ask is exactly what professional virus companies do

Ahh I see

* DJeX Crosses 'MSN Virus Removal program' off his future programs to code list.

* DJeX Moves on to SpyWare remover... but relises it's almost the same as spy ware *crosses that off list*.