none
Virus remover/scanner

    Question

  • ok.. i want to make a virus remover/scanner tht deletes files og scans for virus.. Just reply i you know some of codes or if you have a project.
    VB2008/2010.. Helper!
    Thursday, September 24, 2009 11:17 AM

Answers

  • Hi,

    I do not have projects for share, and my projects are written in C#.
    However, I've answered such questions before, check out my previous
    replay below:
    http://social.msdn.microsoft.com/Forums/en-US/windowssecurity/thread/1b23cadf-aa7e-44fe-9f35-01d3d6561d10

    To, only build a virus removal tool, you need to know what such tool is!

    What is a Virus Removal Tool?
    A virus removal tool is a tool special designed to scan-and-remove
    a specific "virus type". Which means that, you must build up a 
    AV-program which will only search for a specific infection, through MD5-hash or SHA-hash.
        

    I hope this information was helpful...

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    • Marked as answer by Jeff Shan Thursday, October 1, 2009 1:35 AM
    Thursday, September 24, 2009 11:37 AM
  • Hi again:

    I have some more details on what I told you before, the MD5-hashes or SHA-hashes are known as "checksums". The smartest thing you can do, which I've done on my antivirus, is to make byte segments of files. This means the scan engine, will split the files into segments, and since you only scan for one specific (because, you wanted to make a Virus Removal Tool), you just make a built-in data base which will become “hard-coded”, anyway, the system works like this. You use a advanced HEX-editor, and you have only one specific virus infection (let’s say: “Win32_@Virus”), then when you know the byte sequence of that specific part in the HEX-data, you’ll have to make a MD5-hash or a SHA-hash of only that specific part. Why? Because, that specific part will be the code which will perform the “infection” on a specific file-type on the computer system. However, by having that specific hash of that specific hex-line data, you can prevent this, since the scan engine will split the file bytes into segments, this allows you to check each hashed segment against that original “virus” hash (See Figure 1.1, below).


    Figure 1.1: Here we have a file, typically, 2,560,000 bytes. We have now split this number into seven segments,
    each segment represents an amount of bytes, and now each of these memory boxes gets hashed using the MD5-hash 
    algorithm. Next, each of the MD5-hashes will get checked against the "virus" checksum, or MD5-hash.    

    I hope this information was helpful…

    Have a nice day…

    Best regards,
    Fisnik       


    Coder24.com
    • Edited by Fisnik Hasani Friday, September 25, 2009 9:29 AM Added Memory segment picture
    • Marked as answer by Jeff Shan Thursday, October 1, 2009 1:35 AM
    Friday, September 25, 2009 6:16 AM
  • Hi G Peter:

    I am back with more updates. I’ve been analyzing the Aids (Malware name “HLLPo-Number 1-A”) virus HEX-data and its original source code.


    Fig 1:5: The original Aids virus source code, it's written in Pascal.

    Now, as I did a scan with Avast Antivirus Free Edition, it alerted me that the file is infected.
    I agree, because the file is a virus it's self.


    Fig 2:5: Avast alerting that the AIDS.COM file is infected.

    Now to put this in perspective, I analyzed the virus HEX data.


    Fig 3:5: EA is the virus infection area which Avast detects.

    Now, I deleted that, and I saved the file and re-scanned with Avast.


    Fig 4:5: I deleted the EA HEX value, and I saved the file.


    Fig 5:5: A re-scan using Avast. Avast, does not find any infections in the file.

    You can download the virus and it's source code for researchers only.
    Download from this page: http://vx.netlux.org/src_view.php?file=aids.zip

    Note: The above link will NOT execute the *.zip, it will take you to a page with details about
    the virus (details provided by the author).

    I hope this information helps...

    You can try it....

    Have a nice day...

    Best regards,
    Fisnik 


    Coder24.com
    • Marked as answer by Jeff Shan Thursday, October 1, 2009 1:35 AM
    Tuesday, September 29, 2009 8:54 AM

All replies

  • Hi,

    I do not have projects for share, and my projects are written in C#.
    However, I've answered such questions before, check out my previous
    replay below:
    http://social.msdn.microsoft.com/Forums/en-US/windowssecurity/thread/1b23cadf-aa7e-44fe-9f35-01d3d6561d10

    To, only build a virus removal tool, you need to know what such tool is!

    What is a Virus Removal Tool?
    A virus removal tool is a tool special designed to scan-and-remove
    a specific "virus type". Which means that, you must build up a 
    AV-program which will only search for a specific infection, through MD5-hash or SHA-hash.
        

    I hope this information was helpful...

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    • Marked as answer by Jeff Shan Thursday, October 1, 2009 1:35 AM
    Thursday, September 24, 2009 11:37 AM
  • Hi again:

    If you have other questions feel free to ask!

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Thursday, September 24, 2009 5:11 PM
  • kill_Bronkok is the name of Virus
    you can download source code from here!

    its gave you idea how to make !

    http://social.msdn.microsoft.com/Forums/en-US/vbgeneral/thread/4ddeafe1-d2df-4d19-9737-abc5e3b4c76b

    • Edited by Shariq Ayaz Thursday, September 24, 2009 7:21 PM
    Thursday, September 24, 2009 6:29 PM
  • but Coder24.com  help is Better
    Thursday, September 24, 2009 6:33 PM
  • kill_Bronkok is the name of Virus
    you can download source code from here!

    its gave you idea how to make !

    http://www.codeproject.com/KB/cs/Kill_Brontok.aspx


    @ ShariqDON, OP already awared of that link. You repost the link that i posted in the OP previous thread http://social.msdn.microsoft.com/Forums/en-US/vbgeneral/thread/4ddeafe1-d2df-4d19-9737-abc5e3b4c76b

    kaymaf
    I hope this helps, if that is what you want, just mark it as answer so that we can move on
    Thursday, September 24, 2009 7:13 PM
  • You Glad to see ! i m Edit My Post

    Thursday, September 24, 2009 7:22 PM
  • Hi again:

    I have some more details on what I told you before, the MD5-hashes or SHA-hashes are known as "checksums". The smartest thing you can do, which I've done on my antivirus, is to make byte segments of files. This means the scan engine, will split the files into segments, and since you only scan for one specific (because, you wanted to make a Virus Removal Tool), you just make a built-in data base which will become “hard-coded”, anyway, the system works like this. You use a advanced HEX-editor, and you have only one specific virus infection (let’s say: “Win32_@Virus”), then when you know the byte sequence of that specific part in the HEX-data, you’ll have to make a MD5-hash or a SHA-hash of only that specific part. Why? Because, that specific part will be the code which will perform the “infection” on a specific file-type on the computer system. However, by having that specific hash of that specific hex-line data, you can prevent this, since the scan engine will split the file bytes into segments, this allows you to check each hashed segment against that original “virus” hash (See Figure 1.1, below).


    Figure 1.1: Here we have a file, typically, 2,560,000 bytes. We have now split this number into seven segments,
    each segment represents an amount of bytes, and now each of these memory boxes gets hashed using the MD5-hash 
    algorithm. Next, each of the MD5-hashes will get checked against the "virus" checksum, or MD5-hash.    

    I hope this information was helpful…

    Have a nice day…

    Best regards,
    Fisnik       


    Coder24.com
    • Edited by Fisnik Hasani Friday, September 25, 2009 9:29 AM Added Memory segment picture
    • Marked as answer by Jeff Shan Thursday, October 1, 2009 1:35 AM
    Friday, September 25, 2009 6:16 AM
  • but Coder24.com  help is Better

    Hi ShariqDON:

    Thanks!

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Saturday, September 26, 2009 4:35 PM
  • Hi G Peter:

    If you need help, then feel free to ask.
    I hope you can wait, and I will update
    you with some more details, from my
    experiences.

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Saturday, September 26, 2009 8:17 PM
  • Hi G Peter:

    I am back with more updates. I’ve been analyzing the Aids (Malware name “HLLPo-Number 1-A”) virus HEX-data and its original source code.


    Fig 1:5: The original Aids virus source code, it's written in Pascal.

    Now, as I did a scan with Avast Antivirus Free Edition, it alerted me that the file is infected.
    I agree, because the file is a virus it's self.


    Fig 2:5: Avast alerting that the AIDS.COM file is infected.

    Now to put this in perspective, I analyzed the virus HEX data.


    Fig 3:5: EA is the virus infection area which Avast detects.

    Now, I deleted that, and I saved the file and re-scanned with Avast.


    Fig 4:5: I deleted the EA HEX value, and I saved the file.


    Fig 5:5: A re-scan using Avast. Avast, does not find any infections in the file.

    You can download the virus and it's source code for researchers only.
    Download from this page: http://vx.netlux.org/src_view.php?file=aids.zip

    Note: The above link will NOT execute the *.zip, it will take you to a page with details about
    the virus (details provided by the author).

    I hope this information helps...

    You can try it....

    Have a nice day...

    Best regards,
    Fisnik 


    Coder24.com
    • Marked as answer by Jeff Shan Thursday, October 1, 2009 1:35 AM
    Tuesday, September 29, 2009 8:54 AM
  • Hi i'm also working working with c#to build av so can u send me that project if not the full project at least a part of it where u have designed an virus search engine.i'm actually working on an anti virus for an network for which i'll have to develop an av search engine and i'm actually in short of time and i cant start from the scratch to develop the search engine

    thank you in advance

    Monday, March 5, 2012 4:32 PM