CIH and Klez Viruses Scanner

Environment: MFC/VC+

This utility program will scan for the deadly viruses called CIH and Klez. The utility was completely developed in MFC. It appears as shown in CIHKLEZ.JPG, below.

The utility scans for the viruses, starting with the entry point. The entry point is extracted by walking through the PE file structures. The program recursively searches for the files in all of the sub-directories within a directory. By default, the program searches for *.*, but it can be modified to search specific files.

The signatures of the viruses are coded as KlezSignature and CihSignature, which is a unique sequence of bytes identifying the file as being infected. The Klez virus is a lot wilder and more harmful because it unloads a process doing file operations continuosly and deletes the program performing the “Assumed scanning” for it. It does this to numerous antivirus software programs and it does it to commonly used programs also, such as WinZip. Hence, to avoid deletion of our program, I have written a DLL that safeguards the file in a way that the virus cannot delete it. What I have done is to have this DLL keep our program always open. So, even if the virus unloads the program from memory, it still is open in our DLL; thus, it cannot delete it. The Klez sits in the memory as a service and keeps mutating regularly in different forms.

The signatures have been formed from the entry point. For CIH it has no problems, as it does not dynamically change its signature. But Klez is a little careful; it changes the first 16 bytes of the entry point dynamically. So, I have used the next 16 bytes, which do not change dynamically. Using the basic shell that I have provided in this article, it is possible to include other virus scanners, also. Only a single sub-routine does check for viruses; that is VirusScan, which can be altered for other viruses.

I have provided the complete sources of the DLL and the Scanner.

Downloads

Download source — 15 Kb