CIH and Klez Viruses Scanner


Desktop-as-a-Service Designed for Any Cloud ? Nutanix Frame

Environment: MFC/VC+

This utility program will scan for the deadly viruses called CIH and Klez. The utility was completely developed in MFC. It appears as shown in CIHKLEZ.JPG, below.

The utility scans for the viruses, starting with the entry point. The entry point is extracted by walking through the PE file structures. The program recursively searches for the files in all of the sub-directories within a directory. By default, the program searches for *.*, but it can be modified to search specific files.

The signatures of the viruses are coded as KlezSignature and CihSignature, which is a unique sequence of bytes identifying the file as being infected. The Klez virus is a lot wilder and more harmful because it unloads a process doing file operations continuosly and deletes the program performing the "Assumed scanning" for it. It does this to numerous antivirus software programs and it does it to commonly used programs also, such as WinZip. Hence, to avoid deletion of our program, I have written a DLL that safeguards the file in a way that the virus cannot delete it. What I have done is to have this DLL keep our program always open. So, even if the virus unloads the program from memory, it still is open in our DLL; thus, it cannot delete it. The Klez sits in the memory as a service and keeps mutating regularly in different forms.

The signatures have been formed from the entry point. For CIH it has no problems, as it does not dynamically change its signature. But Klez is a little careful; it changes the first 16 bytes of the entry point dynamically. So, I have used the next 16 bytes, which do not change dynamically. Using the basic shell that I have provided in this article, it is possible to include other virus scanners, also. Only a single sub-routine does check for viruses; that is VirusScan, which can be altered for other viruses.

I have provided the complete sources of the DLL and the Scanner.


Download source -- 15 Kb

About the Author

Vinoj Kumar

I have been programming for the past 16 years. I started programming in 1990. I came to Windows in 1993. I have authored a book called, "Classic Utilities Using Assembly Language" , 1995. In my free time I listen a lot to Kenny G sax all the albums and Valentine Classics Songs. I like to watch a lot of TinTin adventure Comics. I am currently working in K7 Computing antivirus company (www.k7computing.com) as Senior Technical Lead. My contact is: Phone: +91 944 411 7353


  • There are no comments yet. Be the first to comment!

  • You must have javascript enabled in order to post comments.

Leave a Comment
  • Your email address will not be published. All fields are required.

Most Popular Programming Stories

More for Developers

RSS Feeds

Thanks for your registration, follow us on our social networks to keep up-to-date