Viruse Gator 0.1 hehe

[Triple_access]

I would like to make a program that notifies you when a change takes place.
much like a snapshot of the pc, and when a change takes place you would be notified where and when maybee... allthough i am new to this, it would be a learning task for me, and maybee my team? any comment on where to start or how does this work? hehe, oh, it must be freeware, i think that if me or someone else made the program it should be free!!!

[kazar]

When you say you want a snapshot, you want an actual snapshot i.e printscreen, or do you want a log file of some sort that adds the name, time, and type of file, when the filesystem changes?

[Triple_access]

i was thinking it would be nice to alert you before a change has been made, and if you didt want the change to take place then you could block it?

that would be the most simplest task for starters i think? i was thinking maybee use regedit and search for stuff also, and if its there remove it maybee???

[kazar]

Tell you what, i'll look into scanning the registry, and every time it changes, showing the key that changed, the old value, and the new value?

[Triple_access]

Tell ya what! i got brave last night and decided to go out and find a viruse, which i did very well!!! and from what i saw, you would have to know when and were the system32 files change. i got over 10 viruses in one wack and on a 56k connection it took only a a min! one of the viruses i had disabled or replaced my "taskman" so i could not end any program. so i went deleting files in the system32 folder that i thought was linked to taskman. the file i think needed deleting would not delete, and since i could not end any process i was pretty much screwed! i ended up restoring my pc, it is a good thing that i have SP2 on disk! the best viruse remover i have found yet is my system restore disk! OH it also deleted my restore files so that didt work either... this is getting very flusterating dealing with this. to get the viruse that i had found you have to go to a desired webpage and bam, your pretty much screwed! i thought i would be smart enough to remove it and i was wrong,, i tried safe mode and all the extra goodies, nothing worked. i also tried downloading the taskman of the net, and i did, i installed it, and still same error. i just didt have the permission to run taskman from what the popup was telling me! i dont know if they overwritten the file taskman or it was all in a .dll somewhere, but this has to end someway?

errr think of these helpless people that has to pay for ther pc's to be fixed. the viruse i had also added a html file in your program files. that was your home page and it had links that was clickable, they was trying to sell there spyware remover, HA... also by the clock was a red X, it was very annoying dew to the sound!

it wanted you to go click on the balloon and download a program because it sayd your pc was infected, it looked like microsoft program but it wasnt cause i found where it was comming from.
and exe deep in windows. also the windows firewall was disabled and the pretty much made it were when you entered the windowsxp firewall and click on activate firewall, they wrote there on errors there, youd think thed have something better to do, but i guess they get paid to do this, people believe this and acualy pay for there software, ha, what a bunch of slime buckets.

[Triple_access]

I have been thinking! and what i have thought about is when you get a viruse:
A, you dont know what files were infected
B, even if you did, would that help? would you be able to replace the damaged files???

so that leads me to believe that the best viruse protection "program" would need to monitor the connection, "instead of the files". that way you could block access from a download, i mean isnt getting a viruse basicly and infection of files? how can you get a viruse if your files dont get changed? so my opinion is to monitor the connection for unwanted incomming files and data, how could we acomplish this?

[kazar]

hmm... thats a lot more complicated. That'll need winsock. Filesystem monitoring is easier, but it is possible i suppose...I don't know that much winsock, but i can look into it.

[Triple_access]

i am sure there is an easier way, just earlier i discovered that when you download a file that, your C:\Documents and settings\?????\Local Settings\Temp Internet Files .... Size change when you are downloading a file from the net! so that means an unwanted download would also cause this folders size to change, the problem is even though the size changes, you cant view why it is changing! i dont understand that part of it? well, if you could be prompt that your temp internet file folder was being tampered with you could atleast disconnect?

[kazar]

The prob is that the temp internet folder also stores
the images for sites, to increase load time the next time. I could detect for changes in the temp file, e.g. vbs, exe, etc, but i can't just block the temp folder completely

[sunburnt]

The .NET Platform 2.0 contains a FileSystemWatcher class, which allows you to be notified when certain actions happen in certain folder(s), such as a file being deleted, renamed, modified, etc.

It might be of use.

[packetVB]

Triple_access,

Been interested in this kinda topic for a while. After some research, the best thing to do is monitor what executables and scripts launch. Ive used a process notification routine available in win2k and above (i think nt4 has it too). This routine calls a driver function when executables launch. By suspending all processes as they launch, I can do a quick check to see what the creation time on the file is. By checking the creation time, if it within a few minutes of current time then you can stop it from executing if you didnt download the file (good for exploits that install spyware/viruses).
Taking this on to another level you can hook imports in the executable and send the calls to your own dll and stop any that access registery or writes to system files.
Got the start of the program on my web page under freeware.

[Triple_access]

Well, This scans 2 files in VB, so i now know it can be done,,,

VB Code:

Private Sub Command1_Click()
On Error GoTo jump0
FileName = "C:\WINDOWS\system32\COMCT232.DEP" '     Selected File 1
Open "C:\Logg.html" For Output As #1 ':::::LOGG FILE OPEN \\Write Mode//
Print #1, FileDateTime(FileName)
Close 1
Open "C:\Logg.html" For Input As #1
FLen = FileLen(FileName)
Close 1
Open "C:\Logg.html" For Append As #1
Print #1, FLen
Print #1, FileName
Print #1, "<BR>"
Close 1 ';;;;;;;;;;;;;;;;;;LOGG FILE CLOSED
'------------------------------------------
'------------------------------------------
jump0:
FileName = "C:\Alarm Clock.exe" '     Selected File 1
Open "C:\Logg.html" For Append As #1 ':::::LOGG FILE OPEN \\Write Mode//
On Error GoTo jump1
Print #1, FileDateTime(FileName)
Close 1
Open "C:\Logg.html" For Input As #1
FLen = FileLen(FileName)
Close 1
Open "C:\Logg.html" For Append As #1
Print #1, FLen
Print #1, FileName
Print #1, "<BR>"
Close 1 ';;;;;;;;;;;;;;;;;;LOGG FILE CLOSED
'------------------------------------------
'------------------------------------------
jump1:
End Sub
 
Private Sub Form_Load()
 
End Sub
 
 
Private Sub Timer1_Timer()
Open "C:\Logg.html" For Input As #1     'OPEN TO READ LOGG
On Error GoTo skip0
FileName = "C:\WINDOWS\system32\COMCT232.DEP"         'Selects Filename
Input #1, Logg   'Date
If Logg <> FileDateTime(FileName) Then
    MsgBox FileName & " Was edited on " & Logg
    Else
    End If
Input #1, Logg   'Bytes
If Logg <> FileLen(FileName) Then
    MsgBox FileName & " Data Has changed From " & Logg & " Bytes to " & FileLen(FileName) & " Bytes"
    Else
    End If
Input #1, Logg   'File name and Location
Input #1, Logg   'WhiteSpace <BR>        'END OF READING
'-------------------------------------------------------
'-------------------------------------Still reading LOGG
skip0:
FileName = "C:\Alarm Clock.exe"         'Selects Filename
Input #1, Logg   'Date
On Error GoTo skip1
If Logg <> FileDateTime(FileName) Then
    MsgBox FileName & " Was edited on " & Logg
    Else
    End If
Input #1, Logg   'Bytes
If Logg <> FileLen(FileName) Then
    MsgBox FileName & " Data Has changed From " & Logg & " Bytes to " & FileLen(FileName) & " Bytes"
    Else
    End If
Input #1, Logg   'File name and Location
Input #1, Logg   'WhiteSpace <BR>        'END OF READING
'-------------------------------------------------------
'-------------------------------------Still reading LOGG
skip1:
 
 
 
 
 
 
Close 1
End Sub

[si_the_geek]

I know you haven't asked for comments on your code, but I think it is useful for you to know a few things I have noticed..

First of all, why on earth are you opening & closing the same file 3 times in a row? The following code is equivalent to the same range of code in Command1_Click, but is quicker and easier to read...

VB Code:

FileName = "C:\WINDOWS\system32\COMCT232.DEP" '     Selected File 1
Open "C:\Logg.html" For Output As #1 ':::::LOGG FILE OPEN \\Write Mode//
Print #1, FileDateTime(FileName)
Print #1, FileLen(FileName)
Print #1, FileName
Print #1, "<BR>"
Close #1 ';;;;;;;;;;;;;;;;;;LOGG FILE CLOSED

..similar can be done for the second half of the sub.

Note that your error handling certainly isn't ideal either - the line "On Error GoTo jump1" is too late (as the "open" line before it can have errors); you do not close any open files in your error handler (it is possible that an error occurs between the Open and Close lines). Oh, and if an error occurs in the first section, then you will have no error handling in the second section - as you are not using a Resume of any kind.

Note that you should be using FreeFile to find the file number to use, instead of always using #1 ; this is especially true in this case, as the timer is also opening files.