Program for virus removal can be created on the basis of the infection process. The most simple variant is:
Identify infection.
Size of the inserted virus code must be known.
Extract original program to the temp file.
Rename temp file to original name.
Infection <----------------------------+
+---------------------------+----------------------------------+ +
| | | |
| | | |
| Virus | Original program | |
| | | |
+---------------------------+----------------------------------+ |
+-----------------+----------------+ |
+---------------------------> | |
Required code shift | |
|Extraction |Erase
| |
| |
+----------------v----------------+ |
| | |
| | |
| Temp file | |
| | |
+----------------+----------------+ |
+--------------------+
Removal program code in bash:
VIRUS_SIZE=10710
MAGIC_SIZE=4
INFECTED=$1
if [ -z "$INFECTED" ];then
echo "Using $0 <infected file>"
exit 1
fi
INFECTED_SIZE=`ls -l $INFECTED| awk '$5 {print $5}'`
let ORIG_SIZE=$INFECTED_SIZE-$VIRUS_SIZE-$MAGIC_SIZE
echo "Size of the virus: $VIRUS_SIZE"
echo "Size of the original program: $ORIG_SIZE"
mv $INFECTED $INFECTED.vx
dd if=$INFECTED.vx of=$INFECTED count=$ORIG_SIZE skip=$VIRUS_SIZE bs=1
chmod $INFECTED --reference $INFECTED.vx
Create file clean.sh and paste given code.
$ wget http://zeus.fei.tuke.sk/bps3r/clean.sh
Set virus size.
$ls -l ./virus
===>>> size
$mcedit clean.sh
VIRUS_SIZE=size
Set file permissions.
$ chmod +x clean.sh
Test virus removal.
$ ./clean.sh ./test/date
Run 'date'.
$ ./test/date
