Last updated on March 17th, 2025 at 04:29 pm
Author: Dr.Dr.Strobe & Papa Hacker & Garfield
Size: 2030 bytes. (9 Blocks)
Type: Memory-resident parasitic prepender.
Infects: Commodore 64 Basic files.
Payload: Displays text under certain conditions:
DR.DR.STROBE&PAPA HACKER WAS HERE!
COPROGRAMMER: GARFIELD
HALLO DICKERCHEN, DIES IST EIN ECHTER
VIRUS!
SERIALNO.:3
This description is a cleaned up and shortened summary of the Symantec virus bulletin January 2005:
The BHP virus for Commodore 64 was the first computer virus ever and the first full-stealth file-infecting virus. It was developed by a hacking group, possibly the Bayrische Hacker Post group, in 1986.
The virus was written in Basic and assembler code.
The virus code was built dynamically and placed itself in banked memory, which made it hidden from view.
Once the virus gained control, it placed itself in the block of memory that was normally occupied by the I/O devices when the ROM was banked-in.
The virus hooked several vectors, including ILOAD, ISAVE, MAIN, NMI, CBINV, and RESET, which made it break-proof, reset-proof, and run/stop-restore-proof.
The virus checked whether it was running already by reading a byte from a specific memory location and would copy some code into a low address in non-banked memory if no other copy of the virus was running. The main virus code would be called on every request to load or save a file.
The virus checked whether the payload should activate after any call to ILOAD or ISAVE, and the conditions for the payload activation were that the machine was operating in direct mode, that the seconds field of the jiffy clock was a value from 24 seconds, and that the current scan line of the vertical retrace was at least 128.
The payload was to display a particular text, one character at a time, while cycling the colors of the border.
The serial number that was displayed was the number of times the payload check was called.
It was incremented once after each call, and it was carried in replications.
It reset to zero only after 65,536 calls.
THE C64 VIRUS LIST BY C64 CODEBASE
THE VIRUS WIKI C64 BHP VIRUS PAGE
UPDATE:
We received this comment from what we think it’s the BHP Virus Author :
“Hi,
nearly 30 years ago i wrote the BHP Virus. It is really funny that this piece of code is now a part of the computer history. It was only a bet between me and the founder of the chaos computer club, who asserted that it is not possible to write a computer virus on a 8 bit machine, due the lack of network.
Greetings,
Stefani”
Making a Virus Scanner – info needed
as some of you might know i made a little util to scan the disks i transfered
for errors (D64scan v0.2, http://noname.c64.org/csdb/release/?id=43862).i thought it would be a useful feature to add virus detection (and possibly
elimination) to that tool aswell…so the question is, who has detailed info on that subject? useful info would be
– what virii do exist
– how did said virii work
– what are existing scanners/cleaners, and how do they work
– how do those virii “initially” install…etc.
at the very least, i’d need a bunch of “infected” disks (or well, d64s of them),
but ofcourse any further info would make things a lot easier :)the following is a work in progress list of info that i could locate so far.
if you have anything to share that isnt mentioned in this list yet, (especially
virus programs, and scanners/killers) don’t hesitate to send me a mail also if
you feel like adding more comments to one of the disassemblies, feel free to do
so, all help is welcomed!——————————————————————————
=============================================
Commodore C64 Virus List v0.2, last updated 09/06/2007 (w) groepaz/hitmen
=============================================
——————————————————————————=============================================
Programs that qualify as “Real” Virus
=============================================BHP-Virus
———Author: Dr.Dr.Strobe & Papa Hacker & Garfield
Size: 2030 bytes. (9 Blocks)
Type: Memory-resident parasitic prepender.
Infects: Commodore 64 Basic files.
Payload: Displays text under certain conditions:DR.DR.STROBE&PAPA HACKER WAS HERE!
COPROGRAMMER: GARFIELDHALLO DICKERCHEN, DIES IST EIN ECHTER
VIRUS!SERIALNO.:2
Removal:
first virus for the C64 ever, often said to be _the_ first virus in computer
history ever (which is not true, there were others before for cp/m, the apple 2e
etc).9 “bhp virus.prg” prg
#############################################
Other Commodore64 Viruses
HIV-Virus
———
Author: Rogue/The Cultprobably the most known and widespread virus on the C64.
21 “hiv virus /cult” prg (turbo copy infected with hiv)
3 “hiv-virus” prg
########################
HIV2-Virus
———-Author: Crossbow/Crest
this is an “optimized” version of the HIV Virus. according to crossbow he never
released it into “the wild”, however according to others it is “out there”.HIV-EXPERT V2.0.prg (hiv expert 1.0 infected with HIV2)
crossbow comments on this one:
“here is my virus, it’s contained in the scanner for HIV 1. it scanns the disk for
HIV1 (and removes it when it is found) but infects with HIV2. the virus does not use
track 18 for itself (like HIV1), but track 19. that way the HIV1 scanner can not find
it – but it will likely destroy other programs.”#################
BULA Virus
———-aka: BULA Virus
Author: ?
4 “bu\a 6.13 /virus” prg
4 “bu\a 8.32 /virus” prg(note: the \ in the filename is supposed to be the pound sign)
MD-Virus
——–aka: Magic Disk Virus
Author: ?
8 “md!-virus” prg
29 “mdv-source” prg
44 “mdv-source.asc” seq###################
Starfire-Virus
————–Author: ?
2 “starfire virus” prg
description by Quetzal:
That virus worked by scanning the directory for uninfected programs, grabbing
the track + sector link to said prg and replacing it with a T+S link to a copy
of the virus (which allocated each copy of itself 2 sectors on the disk more
or less at random, thus REALLY screwing up files at times), the original T+S
link was placed in the 2nd sector of the virus, so the original prg was then
appended after it. Next time that prg was run, after the virus finished its
work, a simple memory move to $0801 and a RUN, started the main prg. Can’t
recall exactly, but I think it also patched various vectors such as LOAD,
RUNSTOP/RESTORE etc, giving more chances to be activated, this seems to be a
common idea in C64 virus.##############
FROG-Virus
———-Author: Kobold/Frogs
this one is kinda nasty, it installs the infection routine in a fastcrueled
program, and thus is a lot harder to scan for than for other virii (the
infected program must be unpacked to check for the infection routine)38 “fastcruel4.0+frg” prg
#############
Coder-Virus
———–Author: ?
(currently only found a scanner/remover for this one, not the actual virus.
there is a small chance that its a fake. need to analyze the scanner, however
it is a basic-boss compiled program which is almost impossible to read without
a lot of effort, so that has to wait – finding the virus itself would save a
LOT of work!)===========================================
Virus-Acanners and -Killers
===========================================BHP-Virus
———11 “tdf virus killer” prg “BHP Virus Killer” by T.D.F.
HIV-Virus
———4 “hiv scaner /cult” prg “hiv virus scaner” by Cliff/The Cult/WOW
42 “hiv warning/cult” prg usage/warning note
24 “hiv-expert v1.00” prg “hiv-expert v1.00” by Rico/Nipson
5 “hiv-virus-ki.prg” prg “Virus Killer 1.0” by Jer/Panic Design1 “hiv-virus-scann.” prg “HIV Virus File Scan v1”
9 “poopoopoopoopoop” prg5 “hiv-virus-killer” prg “Virus Killer 1.0” by Jer/Panic Design
HIV-Finder “HIV Finder v2.2” by Gringo
Starfire-Virus
————–6 “star killer v1.0” prg “star killer v1.0” by Quetzal/Chrome (Daniel Martin)
MD-Virus
——–11 “protector” prg “Magic Disk Virus Protector V2.0”
Coder-Virus
———–29 “coder-virus kill” prg “Coder Virus Killer v0.9” by Pumpkin/Lower Level
43 “noter to coder v” prg usage/warning noteothers/generic (?)
————–Virus Killer “Virus Killer” by Raven Softworks
Virus Killer v1.1 “Virus Killer v1.1” by The Atomic Two Industries
6 “virus kill. v2.4” prg “Virus Killer v2.4” by Exen/Fatum
==============================================
Offtopic: pranks and fakes and other generally harmless programs
==============================================the following programs are listed to avoid confusion with “real” virii. they
are all 100% harmless (promised).Antivirus V4.0
————–Quetzal comments on this one: “This is a well designed fake. The code for
“checking” for a virus consists of randomly choosing from the list of available
viruses – most of which I doubt ever existed.”29 “antivirus v4.0” prg “Antivirus V4.0” by JTX
WAG-Virus
———Author: Matthias Weber, released by CSD and Magic Disk
not a real virus (it does not infect other programs/disks). this is a prank
program released on magic disk.50 “wag-virus” prg
10 “sample 0a” prg
32 “sample 0b” prg
17 “sample 0c” prg
41 “sample 0d” prg
28 “sample 0e” prg
11 “sample 0f” prg
6 “sample 0g” prg
31 “sample 0h” prg
41 “sample 0i” prg
48 “sample 0j” prg2 “wag virus-killer” prg
Kaufhaus-Demo
————-aka: Karstadt Demo
Author: ?
not a real virus (it does not infect other programs/disks). this is a prank
program released by an unknown author
End.
