Visit our Sponsor   Visit our Sponsor
delphi3000.com - the free delphi knowledge platform
delphi3000.com - the free delphi knowledge platform
491 Users Online NOW
Have a look at your member-status

connecting people's knowledge


  - Recent ArticlesRSS feed for Recent Articles on delphi3000.com
  - List of All Articles
  - Top Viewed Articles
  - Articles (+Attachem.)
  - Articles Of Interest
  - Categories
  - Top Uploader
  - Search
  - Index

  - My Home
  - Submit an Article
  - My Articles
  - My Personal Data
  - My Bookmarks
  - Activities
  - Login/Logout

  - Sign Up
  - Why Sign Up
  - Newsletter

  - Press
  - Advertise

  - Contact
  - Feedback





Community
Borland
ClubeDelphi
Dr. Bob
UK-BUG
Delphi Meetings
Planeta Delphi







Startblatt.de






Share this article with friendsShare this article with friends
Rate this articleRate this article - to keep the quality of delphi3000.com !
Comment this article or read through previous comments (49)


Making your own anti-virusGo to Rafael Ribas Aguiló's websiteComponent available for this articleFormat this article printer-friendly!Bookmark function is only available for registered users!
Prevent Love-Letter and other viruses by yourself.
Product:
Delphi all versions		Category:
Security		Skill Level:
Scoring:
Last Update:
09/06/2001
Search Keys:
delphi delphi3000 article borland vcl code-snippet Virus VB_Script		Times Scored:
34		Visits:
12295
Uploader: Rafael Ribas Aguiló
Company: SEF-RJ		Reference: www.facilities.com.br
 
Question/Problem/Abstract:
How to be up to date against VBScript viruses?
Just make your own anti-virus! With Delphi, of course.
Answer:



{
Making your own anti-virus for VB-Script files.

How to be up to date against VBScript viruses?
Just make your own anti-virus! With Delphi, of course.

The technique is based on the windows registry and on the way hooks works:

A VBScript is a text file that is interpreted by a program called WScript.exe and all
.vbs files are opened by this program. This is accomplished by a registry file association
at HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command.

The key is to hook this file execution by changing the original registry key that points to
the WSScript.exe, to our AntiVBS.exe file.

Now when Windows try to open a VBS file it will call our program to open it passing the VBS
file path as a parameter, and as we now have the power, we just open the VBS file to read
some text and to try to identify a virus mark. If a virus mark is found then we warn
the user that this file has a virus, else we pass the parameter to the original program,
running it with the WinExec API call (don't use ShellExecute!!! If so you will be in a
dead lock).

Ok. But always a new virus is created I have to change my program to identify it?
NO!!! Make a ini file and put the viruses IDs there! The is a sample of this ini file at the
end of ths article, and it already works for the Love-Letter virus. Put this file together
with the AntiVBS.exe file.

Ok, ok. And I would have to make an install program for it?
NO!!! The AntiVBS is a self-installer. Just put it in a folder and run it.

Ok, ok, ok. And if I would like to remove it and restore the original file association?
Just run AntiVBS.exe with the /REMOVE option and all will be restored to the original state.

That's all folks!!! Enjoy!


*You can copy, paste and compile! (Note that it is a program without units)
}

{Ths is a program with no units}
program AntiVBS;

uses
  Windows,
  SysUtils,
  Registry,
  IniFiles,
  Classes;

{$R *.RES}

const
  AntiVBSName = 'Anti-VBScript';
  ExecParameter = ' "%1" %*';

function CheckViruses(Value: array of char): string;
var
  i, j: integer;
  VirDefs: TStringList;
  VirIDs : TStringList;
begin
  result := '';
  VirDefs:= TStringList.Create;
  VirIDs := TStringList.Create;
  try
    with TIniFile.Create(ChangeFileExt(ParamStr(0),'.ini')) do
    try
      ReadSectionValues('VIRUSDEFS',VirDefs);
      for i:=0 to VirDefs.Count - 1 do
      begin
        ReadSectionValues(VirDefs.Values[VirDefs.Names[i]], VirIds);
        for j:=0 to VirIds.Count - 1 do
        begin
          if Pos(AnsiUpperCase(VirIds.Values[VirIds.Names[j]]), AnsiUpperCase(Value)) > 0 then
          begin
            result := ReadString(VirDefs.Values[VirDefs.Names[i]],'NAME','VBScript - Virus');
            exit;
          end;
        end;
      end;
    finally
      free;
    end;
  finally
    VirDefs.free;
    VirIDs.free;
  end;
end;

procedure RemoveAntiVBS;
var
  OldValue: string;
begin
  with TRegistry.Create do
  try
    RootKey:=HKEY_CLASSES_ROOT;

    OpenKey('VBSFile\Shell\Open\Command',true);
    OldValue:=ReadString('Old');
    if OldValue <> '' then
      WriteString('',OldValue);
    DeleteValue('Old');
    CloseKey;

    OpenKey('VBSFile\Shell\Open2\Command',true);
    OldValue:=ReadString('Old');
    if OldValue <> '' then
      WriteString('',OldValue);
    DeleteValue('Old');
    CloseKey;
    MessageBox(0,PChar(Format('The %s was uninstalled from your system with success!'#13+
                       'In order to reintall it just run it again with no options.',[AntiVBSName])),
           AntiVBSName, MB_OK or MB_ICONASTERISK);
  finally
    free;
  end;
end;

procedure SetupRegistry;
var
  OldValue: string;
  Root, InstalledPath: string;
  Reg: TRegistry;

  procedure AddAntiVBS;
  begin
    with Reg do
    begin
      OpenKey('VBSFile\Shell\Open\Command',true);
      OldValue:=ReadString('');
      if not (Pos(Uppercase(ExtractFileName(ParamStr(0))),UpperCase(OldValue))>0) then
        WriteString('Old',OldValue);
      WriteString('',ParamStr(0) + ExecParameter);
      CloseKey;

      OpenKey('VBSFile\Shell\Open2\Command',true);
      OldValue:=ReadString('');
      if not (Pos(Uppercase(ExtractFileName(ParamStr(0))),UpperCase(OldValue))>0) then
        WriteString('Old',OldValue);
      WriteString('',ParamStr(0) + ExecParameter);
      CloseKey;
    end;
    MessageBox(0,PChar('The Anti-VBScript was installed in your system with success!'#13+
                       'In order to uninstall it just run it with the /REMOVE option.'),
               AntiVBSName, MB_OK or MB_ICONINFORMATION);
  end;

begin
  Root:=ParamStr(0) + ExecParameter;
  Reg:=TRegistry.Create;
  with Reg do
  try
    Access:=KEY_ALL_ACCESS;
    RootKey:=HKEY_CLASSES_ROOT;
    if not OpenKey('VBSFile\Shell\Open\Command',true) then
      abort;
    InstalledPath:=ReadString('');
    Delete(InstalledPath, Pos(ExecParameter,InstalledPath),length(InstalledPath));
    CloseKey;
    if Pos(AnsiUpperCase(ExtractFileName(ParamStr(0))),AnsiUppercase(InstalledPath)) > 0 then
    begin
      if (AnsiUpperCase(ParamStr(0)) <> AnsiUppercase(InstalledPath)) then
      begin
        if MessageBox(0, PChar(Format('The %s is already installed in you system at'#13+
                                      '%s'#13#13+
                                      'Do you want to reinstall it from '#13'%s ?',
                                      [AntiVBSName, InstalledPath, ParamStr(0)])),
                         AntiVBSName, MB_YESNO or MB_ICONINFORMATION or MB_SYSTEMMODAL) = IDYES then
          AddAntiVBS;
      end
      else
        MessageBox(0,PChar(Format('The %s is already installed in you system at'#13#13'%s',[AntiVBSName,ParamStr(0)])),
                   AntiVBSName, MB_OK or MB_ICONINFORMATION or MB_SYSTEMMODAL);
    end
      else
        AddAntiVBS;
  finally
    free;
  end;
end;

var
  F: file;
  R: integer;
  Value: array[1..16384] of char;
  result: string;

begin
  if ParamCount = 0 then
    SetupRegistry
  else
  if AnsiUpperCase(ParamStr(1)) = '/REMOVE' then
    RemoveAntiVBS
  else
  if FileExists(ParamStr(1)) then
  begin
    FillChar(Value,SizeOf(Value),0);
    AssignFile(F, ParamStr(1));
    FileMode:=0; {ReadOnly}
    Reset(F,1);
    BlockRead(F,Value[1],SizeOf(Value)-1,R);
    while (not EOF(F)) or (R > 0) do
    begin
      result := CheckViruses(Value);
      if result <> '' then
      begin
        MessageBox(0,PChar(Format('The file %s is possibly infected by a virus:'#13#13' %s'#13#13'Its execution is denied.',
                   [ParamStr(1), '"'+result+'"'])),
                    AntiVBSName, MB_ICONHAND or MB_SYSTEMMODAL);
        exit;
      end;
      BlockRead(F,Value[1],SizeOf(Value)-1,R);
    end;
    WinExec(PChar(ParamStr(1)+ParamStr(2)),SW_SHOW);
  end;
end.
{======================================================================}
The ini file:

[VIRUSDEFS]
COMMENT= Put here all ID groups.
LOVELETTER=LOVELETTER_IDS

[LOVELETTER_IDS]
COMMENT= Put here the NAME entry and enumerated values that identifies the virus (words that is in the virus file).
NAME=Love Letter Virus (vbs macro)
1=loveletter
2=spreadtoemail()
3=MSKernel32.vbs
4=Win32DLL.vbs
5=LOVE-LETTER-FOR-YOU.TXT.vbs
==============================
*** Please rate this article !!!






Please rate this article!
Skill level:
BeginnerExpert

Useful:
No!Very!

Overall rating:
PoorExcellent



Comments to this article
Write a new comment
WScript.exe
    joe kamar (Feb 20 2008 1:23PM)

hi

Can you please tell me.
Where to go to download this program, WScript.exe.

Thank you
joe kamar
Respond

RE: WScript.exe
Rafael Ribas Aguiló (Feb 20 2008 10:37PM)

It is part of the Windows Operating system. (Microsoft (r) Windows Based Script Host)
Respond

RE: RE: WScript.exe
joe kamar (Feb 21 2008 5:47AM)

thank you very much i have followed what you have wrote to others and it worked

just last question and thats all i have, i compiled it successfully now what do i do with it (besides making a database and definitions) can i make it scan or does it just protects.

Thanks heaps, you have really helped. Much appreciated.  
Respond

RE: RE: RE: WScript.exe
Rafael Ribas Aguiló (Feb 24 2008 4:23PM)

Yes, you can do a scan. Just write code to accept a new option (maybe /scan) and write code to search for files with VBS extension and check it against your vireus definition files to see if is a virus.
Respond

RE: WScript.exe
Rafael Ribas Aguiló (Feb 21 2008 11:30PM)

It is not a downloadable program. Is is part of the Windows Operating System.
Install Windows adn you´ll get this file in the C:\WINDOWS\system32 directory.
Respond

RE: RE: WScript.exe
joe kamar (Feb 22 2008 4:24AM)

i know from what you have said to others that it's in the system, but if you could list a few steps so that i know where to go to to change settings so that it can activate my program when i test it.

Can you please show it in steps, so i understand and don't have to ask anymore questions.

joe


Respond

RE: RE: WScript.exe
joe kamar (Feb 22 2008 4:27AM)

i know from what you have said to others that it's in the system, but if you could list a few steps so that i know where to go to change any settings so that it can activate my program when i click it.

Can you please show it in steps, so i understand and don't have to ask anymore questions.

joe


Respond

RE: RE: RE: WScript.exe
joe kamar (Feb 22 2008 4:43AM)

i have something else to ask besides 'how to activate my program' is how do i get my program to update.

Sorry if i'm asking you too many questions, but i want the program to work out well.

(ANSWER ABOVE QUESTION AND THIS ONE)

cheers
joe
Respond

RE: RE: RE: RE: WScript.exe
Rafael Ribas Aguiló (Feb 23 2008 5:53PM)

Once it gets executed, it is installed.
To uninstall you have just to execute it again passing the /UNINSTALL option to it.
It hooks the execution of VBScript files and, before the script gets executed, it check against the signature file if the VBScript file being executed is a virus script, so it only executes when a VBscript is ran.
Respond

antivirus
    sarah thomson (Feb 20 2008 5:48AM)

Hello

my name is Sarah thomson, i want to compile this code but i am getting these errors. Do you know a way on how i can fix this problem up so i can commpile the code

Thank you much appreciated
Cheers
Sarah
Respond

RE: antivirus
Rafael Ribas Aguiló (Feb 20 2008 10:55PM)

Please, download the project at http://www.agilesoftware.com.br/download/AntiVBS.zip
Respond

RE: RE: antivirus
sarah thomson (Feb 23 2008 3:24PM)

hi

i have the program installed on my computer, but what must i change to activate the program. Could you please lay it out in steps. Thank you very much.

Sarah
Respond

RE: RE: RE: antivirus
Rafael Ribas Aguiló (Feb 23 2008 5:52PM)

Once it gets executed, it is installed.
To uninstall you have just to execute it again passing the /UNINSTALL option to it.
It hooks the execution of VBScript files and, before the script gets executed, it check against the signature file if the VBScript file being executed is a virus script, so it only executes when a VBscript is ran.


Respond

RE: RE: RE: RE: antivirus
sarah thomson (Feb 24 2008 8:04AM)

Thank you very much i understand.

You said that for this code to detect viruses it has to be updated, by me making my own signatures like you have demonstrated but how can i do these signatures if i cant find 'all'! the virus' codes. (especially from years back) is there a website or database that i can grab all the virus code.

Thank you
Respond

RE: RE: RE: RE: antivirus
sarah thomson (Feb 24 2008 8:05AM)

Thank you very much i understand about the program.

You said that for this code to detect viruses it has to be updated, by me making my own signatures like you have demonstrated but how can i do these signatures if i cant find 'all'! the virus' codes. (especially from years back, hundreds of them). Is there a website or database that i can grab 'all' the virus code.

Thank you
Respond

RE: RE: RE: RE: RE: antivirus
Rafael Ribas Aguiló (Feb 24 2008 4:45PM)

Yes, it has to detect a virus by any kind of identification technique, and one of these techniques are the definitions files.
As I exlpained in this article, I made a definition file as INI. Please take a look on it to have an idea to how add more virus definition there.
About having all the VBS virus definitions, no, I don´t have them and, unfortunatly, I don´t know where to find it, since it is not part of my business as a software developer.

Respond

Application, copile help!
    matthew struat (Feb 17 2008 8:56AM)

Hi, Rafael Ribas Aguiló

I am using Delphi, it gives me a range of type of application selections. Now you say copy, paste and compile, but what application do i choose.
(For new projects)
Example: Console Application, Form, Components, package or SDI/MDI applications.
Can you please specifically tell me which of the applications i can compile this code with.

Thank you
Matt
Respond

RE: Application, copile help!
Rafael Ribas Aguiló (Feb 18 2008 4:34AM)

Matthew,

You need to study Delphi.
Respond

RE: RE: Application, copile help!
matt struat (Feb 19 2008 6:02AM)

i don't know what you are saying, you said yourself that it worked successfully with delphi. How come i have tried every New project option and it hasn't worked (maybe i am doing something wrong). But another thing i asked you was which one to use, i am not going to go through all of them to find out thats why i asked you. i don't know why your telling me to study it when i'm asking for one thing. (WHICH ITEM  SHOULD I USE) for successful compile.

Matt  
Respond

RE: RE: RE: Application, copile help!
Rafael Ribas Aguiló (Feb 20 2008 10:54PM)

Please, follow these steps:

1- download the source at http://www.agilesoftware.com.br/download/AntiVBS.zip;

2- Unzip the file to a folder;

3- Open the project file AntiVBS.dpr with Delphi;

4- Compile it;

*You need to create a file with the virus signatures, I mean, a file containing identifiers of the infected files. See my the example, it work for the Love Letter virus.

Respond

RE: RE: RE: RE: Application, copile help!
matthew struat (Feb 21 2008 5:58AM)

i apologize for the rude message that i sent you, if you haven't noticed i was annoyed, but thanks so much fo helping me out it worked successfully much appreciated.

Kind regards
Matt  
Respond

RE: RE: RE: RE: RE: Application, copile help!
Rafael Ribas Aguiló (Feb 23 2008 5:55PM)

I understand, but I really don´t have much time to spend with these kind of support. I hope you understand it.
Respond

register
    jonathan andrews (Feb 17 2008 6:54AM)

hi

i downloaded a trial version called: codegear RAD studio 2007, it aks me to register, it says the following:

'Register now with name and password'
and right download the bottom it says;
'enter a activation file'

Which one should i do and do i have to pay once i register.

Kind Thanks
Jonathan

Respond

RE: register
Rafael Ribas Aguiló (Feb 23 2008 6:04PM)

Please, you need to ask it to CodeGear. They would be the best option.

But one thing I know, you don´t need to pay nothing to get registered.
Respond

Subject
    jack sadden (Feb 13 2008 5:26AM)

hi

i wanted to ask you that this antivirus script you have on this website does it really work, can it really scan and find viruses or is there other codes to be put in. (Does it completely scan the computer).

Thanks for any feeedback  
Respond

RE: Subject
Rafael Ribas Aguiló (Feb 23 2008 5:47PM)

No, it does not scan your computer.
It hooks the execution of VBScript files and check against the signature file if the VBScript file being executed is a virus script.

Respond

Antivirus
    Micheal Johnson (Feb 12 2008 7:24AM)

hi

I'm trying with both products Visual C+ and Visual Basics to compile the Anti.vsb program, but when i copy and paste and start the compiling process it gives me a heap of errors, how do i get the program to compile straight away without any errors or how do i fix it.

Kind Regards
Micheal

Respond

RE: Antivirus
Rafael Ribas Aguiló (Feb 12 2008 12:54PM)

Micheal,

This article demonstrates how it was done in Delphi language, so you need a Delphi tool to compile it sucessfully.

When I meant you can do it in any language I would like to tell that you could translate it to other programming languages such as C++, C# or even VB.

This code example will compile in any version of Delphi.
Respond

RE: RE: Antivirus
Micheal Johnson (Feb 13 2008 4:15AM)

I understand what you have said. i know that you have to buy the version(s), but on codegear it says trial versions like 'Turbo Delphi Explorer', Turbo Delphi for .NET Explorer, Delphi 2007 for Win32, CodeGear RAD Studio 2007 and Borland Developer Studio 2006 would one of these programs be relevant for the code.

Thanks
Respond

RE: RE: RE: Antivirus
Rafael Ribas Aguiló (Feb 13 2008 4:16AM)

Yes, you can try one of these.
Respond

RE: RE: RE: RE: Antivirus
Micheal Johnson (Feb 13 2008 4:39AM)

thanks you very much for the help.
Respond

RE: RE: RE: RE: RE: Antivirus
jack sadden (Feb 13 2008 5:32AM)

i have been looking and because i don't want to waste my download speed which programs of what i have told you would you recommend.

Thanks and sorry, but i want to do this right
Respond

RE: RE: RE: RE: RE: RE: Antivirus
Micheal Johnson (Feb 13 2008 5:49AM)

Sorry mate i was messaging you in my brothers account, he wants to ask you the above question and i want to know this question.

Apology for the mix up
Respond

RE: RE: RE: RE: RE: RE: RE: Antivirus
Micheal Johnson (Feb 13 2008 6:27AM)

brother in law. If you want to know
Respond

questions
    john william (Feb 10 2008 6:03AM)

Please respond to these three in this post;
1) where can i buy delphi at the cheapest price
2) how do i make my own virus signature database
3) can i use visual basic for the anti virus make and how can i do it in visual basic if i can

apology for the amount of questions.
Thanks for the useful reply(s)
Can you immediately attempt these questions
Respond

developer software
    john william (Feb 10 2008 5:23AM)

just another question to be certain i can use visual basic is that correct.
Respond

delphi
    john william (Feb 10 2008 4:55AM)

i haven't received a answer yet can someone please respond to my question. Much grateful.
Respond

RE: delphi
Rafael Ribas Aguiló (Feb 10 2008 4:58AM)

The technic is the most important.
You implement it in any programming languange you want.
Delphi is a professional Tool and you can find its latest version at www.codegear.com
Respond

RE: RE: delphi
john william (Feb 10 2008 5:05AM)

one last question can i download it and use it.
thanks for the reply.
Respond

RE: RE: RE: delphi
john william (Feb 10 2008 5:08AM)

oh what is it called on the site. (specifically)
Respond

delphi
    john william (Feb 10 2008 3:08AM)

Sorry to add a third question, but is there any other developer software i can use besides Delphi.
Respond

Delphi
    john william (Feb 10 2008 2:18AM)

i was hoping for a quick response, if necessary,
appreciated.

Respond

delphi
    john william (Feb 10 2008 2:01AM)

Hi,

i was wondering where i could find a version of Delphi on the internet so that i can download it.
(trial or freeware)

Thanks for any comments.  
Respond

There is something useful in this article :)
    Pavel Donchev (Dec 20 2004 4:42PM)

I will ask you to excuse me for the english first. As a matter of fact I will use this code only to warn the users that .vbs file is about to be launched. Just think about it - the most of the viruses infects systems becouse the user can not see the execution of such file. If he knows when and what file is about to be started it will reduce the risk.


Excuse me for my English again.
And thanks for this article :) It really helps me :).

(: PeakSoft.Info 4Ever :)
Respond

Why only vbs ?
    Street Racer (Sep 17 2002 12:24AM)

This example work only on plain vbs but if we crypt files it just stop working becasue it dasn't understand crypted files. When I try write something in vbs and I don't want to everything looking in my source i crypt it. I propouse to implement vbe decrypt for trace crypted files.
Sorry for my english.
Respond

new signatures
    EricLewis (Oct 4 2001 5:11PM)

Where does one go to find new signatures?
Respond

RE: new signatures
Rafael Ribas Aguiló (Oct 4 2001 7:02PM)

Hi,
you have to do it by your self, looking in viruses files and trying to determine the virus signature, just like the way I did with Love-Letter virus.
Maybe one day we can share the signatures that we may have.
Respond

RE: RE: new signatures
Mohamed Halimi (Oct 30 2001 5:46PM)

you could as well setup a web space, virus signature Data base from where, your anti-virus application can update virus signature automatically.

The Data base will be updated by Virus hunters, Est Voila !



Respond

RE: RE: new signatures
Hussein Bagherzadegan (Oct 3 2003 6:29PM)

Hussein bagherzadegan
Student of University

Respond




 
Sign up to consume product discounts for Bronze memberships !

read more


  Visit our Sponsor

 

  Community Ad of
D. Wischnewski		  
   














 







     
  Copyright © 2000 - 2007 delphi3000.com - All rights reserved. Terms of use. || Privacy
delphi3000.com is a service by bluestep.com IT-Services GmbH (Vienna)