AntiVirus On Autoit

[WolfWorld]

It Not A real ANTIVirus it con only direct process virus only

OK

NO INSTALL NEED

This is a Demo that will see autoit3.exe as a virus Download : http://www.adload.co.nr/LowAntivirus-Demo.exe

expandcollapse popup

$virus = 'Autoit3.exe'

Dim $arrComputers, $strQuery, $SINK, $objContext, $objWMIService, $objAsyncContextItem, $return, $account
$arrComputers = _ArrayCreate(".")
$strQuery = "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'"
$SINK = ObjCreate("WbemScripting.SWbemSink")
ObjEvent($SINK, "SINK_")
For $strComputer In $arrComputers
    $objContext = ObjCreate("WbemScripting.SWbemNamedValueSet")
    $objContext.Add ("hostname", $strComputer)
    $objContext.Add ("SinkName", "sinktest")
    $objWMIService = ObjGet("winmgmts:!\\" & $strComputer)
    If Not @error Then
        $objWMIService.ExecNotificationQueryAsync ($SINK, $strQuery, Default, Default, Default, $objContext)
    EndIf
Next
While 1
    Sleep(500)
WEnd

Func scan($fn)
    If $virus = $fn Then
        $tvirus = ProcessExists($fn)
        If $tvirus Then ProcessClose($tvirus)
    EndIf
EndFunc   ;==>scan



;******************************************************************************
Func SINK_OnObjectReady($objLatestEvent, $objAsyncContext)    ;Trap asynchronous events.
    Local $essai1, $essai2
    $objAsyncContextItem = $objAsyncContext.Item ("hostname")
    $filename = $objLatestEvent.TargetInstance.Properties_.item ("Name").value
    scan($filename)

EndFunc   ;==>SINK_OnObjectReady
Func sink_onprogress($iUpperBound, $iCurrent, $strMessage, $objWbemAsyncContext)
EndFunc   ;==>sink_onprogress

FULL VERSION

DOWNLOAD : http://www.adload.co.nr/LowAntivirus.exe Version 0.5 Beta

Update at http://www.adload.co.nr/Links.txt

Put Links.txt in LowAntivirus.exe Direction

Download Virus for testing(It not a real virus) http://www.adload.co.nr/scvhost.exe(It will close the LAV and put a message ATTACK This IS A LOOP) This show the reloader of LAV and It will kill

Version 0.5 Beta

ADD Change the reloader as a temp file and system file and readonly

Version 0.4 Beta

Fix/ADD ADD Full Scan after been close by a virus(Fix because it will not see it in Real time scan because it has been load)

Version 0.3 Beta

ADD Unclose able can't not beclose(If you want to close it shutdown)

Version 0.2 Beta

ADD Register FIX or Delete

Version 0.1 Beta

First version scan for process virus only

Edited May 23, 2007 by athiwatc

[jokke]

I like the idea.

How are you going to store your definitions list ?

[James]

Hmm.. So it will read a file to see if it is a virus. Hmm.. Why use AutoIt.exe as the virus in this demo?

[WolfWorld]

I like the idea.

How are you going to store your definitions list ?

Like This

[version]

signature=10

[Data]

antivirus=4D2969927476FC850360A276E7E5EC110C11EC7E83151377CB98FB74C0B78A2DC92895072C60EE7887122CF058

859DF99E0B26BF59BAC1D973996DB3001E10C722FB5E027FB9995FB5C99EAEBFC6260BB543F00E66BDFC1C714721709799C0

35219FE9F663F89350839107D722D70FD5BB9A42D2F972CE165F21B8FF8059ADDEAEEFB102FB5B5535DBC33DE0EA6874436F

70F93EE07E5A14F42F2D2DC9E3B52E4FF977BEE6A58523790EE6949602134449490726C82C9DA8B2534E5070CE8FF355C75A

9E4B53E6D44E14EF5007E06CE3B5C1A9ACFB141213921EA61DE0438058596196A415198FA726AEF2CCD36358AABFA81AC421

DA3F43C7E53311828FCE4A659B4CAE05CCB9FFE76E70379BD697CE7094511DF6BCF14B521FCF10A2D1EA981C5488A1C59DC0

26E3E9719620FDDFE833DED1984A1A3BA15FE54EFB18B59F328E4BA318184865D6438D3ABE70C6275456C63AAD969824896A

87930AE5438D213C16D33B299607A03505ACD83074F00F62A3F0C29B26C5CB250D49CA31FD3A0CD73CA34A952FD6FCEFFDAA

58DB734C870622E71189C1D9E99EFFD6FAB1FCB1F8F8F1454F1286953CB6D403EBFE05E3134BEB6C8E0BE9AFCF643B7CC29B

CED12714B5F67562AE4F7DFC52B3436BDEA75E425C21526CEE803E1878E945262F318AC6220A0BF3422CC372F71FDE34EEBE

4E719B40A75DF416AA62F0D4575560

sumcheck=B7CD74FDB71F15CFBE8C9E2E0BA22F6C

[WolfWorld]

Hmm.. So it will read a file to see if it is a virus. Hmm.. Why use AutoIt.exe as the virus in this demo?

It the only things in my brain at that time srry

Edited May 22, 2007 by athiwatc

[James]

Oh ok. Well its a good idea

[BillLuvsU]

I made somthing like this a while back, I just hijacked Norton's definitions using secret ninja (and most likely illegal) methods. But some small suggestions:

1.Make it run as a service.

2.Make sure the process can't be closed.

3.I think there was a UDF some where you can delete the file of a running process. Love it.

4.Figure out how to monitor windows api calls, and look for suspicious stuff like the deletion or modification of system files.

Hope these help, lates.

[WolfWorld]

I made somthing like this a while back, I just hijacked Norton's definitions using secret ninja (and most likely illegal) methods. But some small suggestions:

1.Make it run as a service.

2.Make sure the process can't be closed.

3.I think there was a UDF some where you can delete the file of a running process. Love it.

4.Figure out how to monitor windows api calls, and look for suspicious stuff like the deletion or modification of system files.

Hope these help, lates.

Thanks can you help me find the UDF I can't find it

and 2. I don't know how ?? I try on exit but it work on exit on not on close process

[James]

I ran AutoIt exe but nothing happened. It didnt close it.

[WolfWorld]

I ran AutoIt exe but nothing happened. It didnt close it.

Sir it not AutoIt exe It Autoit3 exe << Right try again

1 More Things it will kill it self if you do not complie it because it name will be autoit3.exe to

Edited May 23, 2007 by athiwatc

[James]

Crap. Wrong thing. Lol, sorry dude.

[WolfWorld]

Crap. Wrong thing. Lol, sorry dude.

:)