Contributor: R. LOERAKKER (* > I have a big problem here. It's just, I want to make a simple >anti-virus, but I don't know how to locate, remove a virus. Anybody know >how to can you please teach me...or a source code would be better >Thankx...Bye! Here's a small program to find & eradicate the Taipan virus, but first the DOC file: Written on 26-11-94 by R. Loerakker (C) 1994 by R. Loerakker and the Virus Research Centre Holland DISCLAIMER ========== Warning. This product comes as is. The author, nor the VRCH can be held responsible for any damage done to your system, accidental or implied. However, this program should be safe and worked correct on our systems. PURPOSE ======= These source codes are provided to the public to show how a scanner engine could work. I provided them in two different languages to show that it doesn't really matter which one you use. The programs will, if compiled, search for the Tai-Pan (Whisper) virus on the current drive. They will not repair the file, they only report the infections. LANGUAGE ======== The languages I used to create these programs are both from Borland, named Borland Pascal 7.0 and Borland C++ 3.1 (with Application Frameworks). I used the normal Pascal syntax, without any object oriented code in it. The C version is also made without any object oriented code (C++ extensions). The object oriented programming style can be adapted if your scanner has to cope with more viruses. You can make a OOP database of the viruses. DRAWBACKS ========= These programs have some drawbacks and I will give them here : * they don't scan in archives * they don't scan inside packed executables * they won't disinfect an infected file * they don't use anti-stealth techniques (not needed for Tai-Pan) * Some other (dumb) scanners can give a false alarm, identifying the compiled source as Tai-Pan. These scanners do scan the whole file, not just the entrypoint (as I do). They can find a piece of Tai-Pan (the signature) in the data segment of the program. LEGAL RIGHTS ============ You may use these sourcecodes to make your own scanner for a certain virus, without any restrictions. I would like it if you leave my name in it, because I also spent some time in it, escpecially learning C, which is not my best language (yet). The source code may be copied freely, as long as the three files are included (FINDTAI.CPP, FINDTAI.PAS and this FINDTAI.DOC). There are no objections for adding BBS advertisements in the archive and the archive may be converted to another type. Publishing on a CD-ROM is also no problem. If you make your own scanner for a virus with these source codes, I would like a copy of the program (also the sourcecode if you want to). VRCH (Virus Research Centre Holland) ==================================== The VRCH is an independed organisation that helps people and companies with getting rid of viruses. We also hope to give a certain education and making people more virus-aware. We produce a wide range of antivirus software, from individual cleaners to source code like this. Most of these programs are freeware, unless otherwise stated, but money is always welcome to cover the expenses. If you have any problems with viruses, please contact us and we might be able to help you. THE AUTHOR ========== Richard Loerakker Albert Schweitzerstraat 3 2851 CC HAASTRECHT Tel. 01821-3050 Note : This address will be invalid from 17th of December, because I am moving. I will give the new address when I am settled at my new place. Meanwhile, you still can send to the above address and I will receive it anyway. GREETINGS ========= First I want to thank Rob Vlaardingerbroek, former president of the Virus Research Centre Holland, for helping me with these projects. Also thanks for the other members for supporting me with keeping VRCH alive after Rob has thanked for his position in VRCH. Also thanks to Righard Zwienenberg (CSE) for pointing out a flaw in the C code. Further thanks go to : My parents (ofcourse) Industrial Man of Intertia Thanks for putting up a seperate VRCH area on your BBS for uploading my newest programs. Rob Greuter (F-PROT Nederland) The professional version is very good, indeed. I hope to see it in the "SLB diensten" soon. Fernando Cassia The cards were beautiful, and would love to see a video of your country (and maybe you?) Hans-G”ran Andersson Thanks for the letter, I appreciate it. Hans Janson Thanks for mentioning the bug in K-JUNKIE (1.0) Jan Hekking Also thanks for pointing out the bug in K-JUNKIE (1.0) Also greetings to all other authors of antivirus software! AT LAST ======= You hope that you can use these sourcecodes and that you might have learned more about fighting viral infections. Regards, Richard Loerakker Technical President of the Virus Research Centre Holland *** *** C:\T\T\FINDTAI.PAS (*========================================================================= Source : FINDTAI.PAS Version : 1.0 Compiler : Borland Turbo Pascal 7.0 Date : 26-11-1994 Author : R. W. Loerakker Purpose : Short course on scanning viruses Description : This program is just made as a demonstration program on how you can make a program to scan for a certain virus. This doesn't mean this is perfect. It's just an example of how a scanner engine might work. This detects the TAI-PAN virus in infected files on the current drive. =========================================================================*) Uses Crt, DOS; Const Sig : Array[0..9] of Byte = ($e8,$00,$00,$5e,$83,$ee,$03,$b8,$ce,$7b); Var F : File; Buf1 : Array [0..$1C] Of Byte; Buf2 : Array [0..30] Of Byte; Nr, Hp, Cs, Ip : Word; Ep: LongInt; Infected : Integer; Attrib : Word; Function Up (S : String) : String; Var I : Integer; Begin For I := 1 To Length (S) Do S [I] := UpCase (S [I] ); Up := S; End; Function Rep (Times : Integer; What : String) : String; Var Tmp : String; I : Integer; Begin Tmp := ''; For I := 1 To Times Do Tmp := Tmp + What; Rep := Tmp; End; Function Compare ( B : Array Of Byte) : Boolean; Var C : Byte; IsIt : Boolean; Begin IsIt := True; C := 0; While (C <= 9) And (IsIt) Do Begin If B[C] <> Sig[C] Then IsIt := False; Inc(C); End; Compare := IsIt; End; Procedure FExe (N : String); Begin FileMode := 0; If Pos ('.EXE', N) <> 0 Then Begin Assign (F, N); GetFAttr (F, Attrib); SetFAttr (F, 0); FileMode := 2; Reset (F, 1); BlockRead (F, Buf1, SizeOf (Buf1), Nr); Ep := 0; If Buf1[0]+(Buf1[1] * 256) = $5a4d Then Begin Hp := Buf1 [8] + Buf1 [9] * 256; Ip := Buf1 [$14] + Buf1 [$15] * 256; Cs := Buf1 [$16] + Buf1 [$17] * 256; Ep := Cs + Hp; Ep := (Ep * 16 + Ip) And $FFFFF; End; Seek (F, Ep); BlockRead (F, Buf2, SizeOf (Buf2), Nr); Write (N); If Compare ( Buf2) Then Begin WriteLn (Rep (60 - Length (N), ' '), 'Infected. '); Inc (Infected); End Else Write (Rep (60 - Length (N), ' '), 'Clean.'#13); Close (F); SetFAttr (F, Attrib); End; End; Procedure SDir ( SPath : String); Var S : SearchRec; Begin FindFirst (SPath + '*.*', AnyFile Xor VolumeID, S); If S. Name = '.' Then Begin FindNext (S); FindNext (S); End; If (DosError = 0) And (S. Attr And Directory <> Directory) Then Begin FExe (SPath + S. Name); FindNext (S); End; While DosError = 0 Do Begin If (S. Attr And Directory = Directory) Then Begin SDir (SPath + S. Name + '\'); End Else FExe (SPath + S. Name); FindNext (S); End; End; Begin WriteLn ('F-TAIPAN V1.0 (C) 1994 by R. Loerakker'); WriteLn; WriteLn ('Searching for TAI-PAN...'); WriteLn; Infected := 0; SDir (Copy (Up (ParamStr (0) ) , 0, 2) + '\'); ClrEol; WriteLn (Infected, ' infected files found.'); End. ***