Virtual Developer Workshop: Containerized Development with Docker

Environment: MFC/VC+

This utility program will scan for the deadly viruses called CIH and Klez. The utility was completely developed in MFC. It appears as shown in CIHKLEZ.JPG, below.

The utility scans for the viruses, starting with the entry point. The entry point is extracted by walking through the PE file structures. The program recursively searches for the files in all of the sub-directories within a directory. By default, the program searches for *.*, but it can be modified to search specific files.

The signatures of the viruses are coded as KlezSignature and CihSignature, which is a unique sequence of bytes identifying the file as being infected. The Klez virus is a lot wilder and more harmful because it unloads a process doing file operations continuosly and deletes the program performing the "Assumed scanning" for it. It does this to numerous antivirus software programs and it does it to commonly used programs also, such as WinZip. Hence, to avoid deletion of our program, I have written a DLL that safeguards the file in a way that the virus cannot delete it. What I have done is to have this DLL keep our program always open. So, even if the virus unloads the program from memory, it still is open in our DLL; thus, it cannot delete it. The Klez sits in the memory as a service and keeps mutating regularly in different forms.

The signatures have been formed from the entry point. For CIH it has no problems, as it does not dynamically change its signature. But Klez is a little careful; it changes the first 16 bytes of the entry point dynamically. So, I have used the next 16 bytes, which do not change dynamically. Using the basic shell that I have provided in this article, it is possible to include other virus scanners, also. Only a single sub-routine does check for viruses; that is VirusScan, which can be altered for other viruses.

I have provided the complete sources of the DLL and the Scanner.


Download source -- 15 Kb

About the Author

Vinoj Kumar

I have been programming for the past 16 years. I started programming in 1990. I came to Windows in 1993. I have authored a book called, "Classic Utilities Using Assembly Language" , 1995. In my free time I listen a lot to Kenny G sax all the albums and Valentine Classics Songs. I like to watch a lot of TinTin adventure Comics. I am currently working in K7 Computing antivirus company (www.k7computing.com) as Senior Technical Lead. My contact is: Phone: +91 944 411 7353


  • virus scanner

    Posted by Legacy on 01/14/2004 08:00am

    Originally posted by: Duncan Railton

    Hi Vinoj Kumar

    If you need good hex signature strings for the klez worm /virus I can send these to you. I have been writing virus/anti virus programs for sometime now and have extracted what seems to be a good scan "string" . I get no false positives with it.

    May I also suggest in ignoring the entry points as some viruses have entry points, pointing to entry points that do not do anything.



  • ahahah

    Posted by Legacy on 04/22/2003 07:00am

    Originally posted by: Ntoskrnl

    This software is totally wrong, you can not base your scan on a small signature of the vc++ standard entry-point code, because some exes have the same signature and are not infected, for the cih it's ok because it's compiled in asm (and so it has not a standard entry-point code), but klez was written in vc++ .... To do a correct scan you must get some characteristic part of the code.

  • Junk Soft, The guy just compare some "100101001" within EXE

    Posted by Legacy on 12/09/2002 08:00am

    Originally posted by: Programmer

    Unfortunately, Arcobat Reader contains this serials of 100101001, so it is almost useless, the virual have a lot of sub-types.......

  • HAhaha

    Posted by Legacy on 06/25/2002 07:00am

    Originally posted by: D'Whizz

    Adobe Acrobat version 5.0 (oct '01) is affected with Klez '32, apparently. It's on the original CD from Adobe - now that HAS to be bad for business!

  • Sorry you Scanner is Giving wrong results.

    Posted by Legacy on 06/12/2002 07:00am

    Originally posted by: oOIIEONOo

    ive scanned my system. and it saying files are infected. and ive also scanned a Microsoft MSDN DVD Rom. and what did i find files are infected. arrgghh!!!.. i think there is a fault with your program.

  • eh, before you use this and have a heart attack....

    Posted by Legacy on 06/06/2002 07:00am

    Originally posted by: Bart

    i compiled this "virus scanner" and used it and it detected 300 files infected with the Klez virus.

    whoa! i freaked out! so ofcourse i wanted to clean it.

    i googled "fix klez" and got this page:


    symantec is the leader in virus removal, so i tried their program.

    i followed their directions i.e. run in safe mode, detach from network, etc.

    after going through symantec's routines, the message i got was: "Klez was not found on your computer"

    this program may work, i dont know. But before trusting it, try the above link.

    It's a good example none-the-less if you want to know how to search for files and what not.


  • s

    Posted by Legacy on 06/05/2002 07:00am

    Originally posted by: sayem

    hi , i want some virus and hook coding in c from you

  • Picks up non infected

    Posted by Legacy on 06/05/2002 07:00am

    Originally posted by: Eric Sanders

    I compiled and ran this and found 117 infected files, including one of my own small applications. I recompiled the app and it was still earmarked as having the KLEZ virus. I run Norton Antivirus and it said the system was clean. It looks like those 16 bytes may appear in non-infected files as well.
    I enjoyed looking at your implementation non-the-less, thank you!

    Eric Sanders

  • You must have javascript enabled in order to post comments.

Leave a Comment
  • Your email address will not be published. All fields are required.

Most Popular Programming Stories

More for Developers

RSS Feeds

Thanks for your registration, follow us on our social networks to keep up-to-date