I have a question regarding the WG database.

What I mean is, do I have to keep adding the actual threats into the "Blocked List", or does WG 'know' what a worm is, etc. and just does it's job.

Do I have to like update like an Anti-virus program or not.

If so, is there an actual list I can grab or copy instead of having to hit "Add" each and every time I want to add a threat?

any comments appreciated.

Cheers, Tas

Hi Tassie_Devils :D
No database to edit or actualise, as it's blocking worms and nasties in other ways of detection.
The blocked items list is a personal choice: if you decide you don't have any scripts running you could add .vbs or not any exe the .exe but i am sure your system would become unworkable with that, so i mean the choices of what to add depends on personal situations.
Hope others jump in with better specific explanation in this area.

The only needed update will be soon the next version to WG4!

The blocked list only goes by filename, if you wish you can continually add known worm filenames to this list - if the worm uses fixed filenames. Wormguard should still detect a lot of threats automatically, but where possible adding to this list will always be a good idea :)

And yes, Wormguard 4 will have an easy update option to do everything for you.

Hi Jooske/Gavin

I thought as much, and that's what I have been doing, but it was just that it's been quite a while since I did anything with WG, leaving it to it's own devices so to speak.

I personally had already added some of the files already suggested by Jooske in the blocked filetypes side quite a while ago, and now I have just added a few of the latest worms doing the rounds in the blocked filenames section.

Thanks for the responses, guys, appreciated.
Cheers, Tas.

Thanks! For other readers: the file extentions is the left edit window, the complete file names in the right window.
True, WG comes with several preconfigured names like loveletter with several extentions and several more, i did not try out files with complete paths, while wildcards are not possible. I know even without updating WG has other ways of stopping nasties, but of course like Gavin says it is always a good idea to add some specific fixed names.

Good question Tas, I was going to ask this also.

So, can anyone direct me to a site that lists current worms and their filenames? Or would anyone post the ones they have added? I think it would be a big help to us less informed.

Also, would anyone be interested in keeping a running thread listing worms they have added? As new worms appear they could be added to the list. This would hold us over until Wormguard 4, with the update feature, is out.

Thanks!

average joe:

Hi: here is list of what I put in.....

easy way to add is to go to your wormguard folder, then open up the text file "lockfile.txt" SAVE IT TO DESKTOP FIRST AS BACK UP.

Then delete all of the files in there then copy this list [contains the original list you got then some more I added].

Then RESAVE it back into the Wormguard FOLDER.
Open up Wormguard, check the blocked filenames list and whalla! You should have all the new entries.

Here is the list:

DECRYPT-PASSWORD.EXE
dwarf4you.exe
explorer.doc
GONE.SCR
happy99.exe
irok.exe
joke.exe
life_stages.txt.shs
links.vbs
love-letter-for-you.htm
love-letter-for-you.txt.vbs
midgets.scr
movie.avi.pif
network.vbs
PASSWORD.TXT
PE_ELKERN.D
pretty park.exe
prettypark.exe
sexy virgin.scr
south park.exe
tune.vbs
VBS_LOVELETTR.AS
VBS_REDLOF.A
W32.FRETHEM.E@MM
W32/FLEMING.WORM
W97M_MARKER.GO-1
WORM_BUGBEAR.A
WORM_KLEZ.H
WWW..FREEDESKTOPTHEMES*.*
xpass.xls
zipped_files.exe
PE_SPACES.1445
PE_NIMDA.E
JS_NIMDA.A
VBS_LOVELETTR.AS
W97M_MARKER.GO-1
PE_CIH.1003
PE_FUNLOVE.4099

I added the current Top 10 worms as outlined by TrendMicro.

cheers, tas

edit: PS: If anyone has more, PLEEEESE feel free to post here so we can add them also.....

I had edited out some numbers at end of list thinking they were the numbers of detections, but upon reading Trend's email, those numbers form part of the worm, so if any has already copied, just redo it pleese. Sorry.

Thanks very much Tas!

I also found this up to date list at Symantec:

http://securityresponse.symantec.com/avcenter/vinfodb.html

But I have a question on which filename to add. For an example, about 6th on the list is W32.HLLW.Amazex. It also says that KAV calls it Worm.P2P.Amazex and Trend calls it TROJ_ANALA.A. So which is the real filename that we should add? And not just for this example but for any on that list.

If anyone can answer this it would be much appreciated.

average Joe

Hi Average_Joe,
would add them all to be sure, like you see in the "loveletter" file names too. In TDS-4 we hope for wildcards possibilities, to ease the adding.

Thanks Jooske!

In the example above I mistakenly thought that there was the worm's real filename, "whatever.exe", and that each AV company just gave it their own label. So I was looking for that "real" filename.

But then I'm just your average Joe. :)

I'll just add all the names that's easy enough. But I'm looking forward to Wormguard 4.

Thanks again!

I have taken the list above, and added to it from the symantec site (just that first page, there are so many, the txt file could get really cumbersome). I have attached the file itself rather than listing it in the body of this post, save it in a temp dir if you want to look it over.

I too had been tending to let wormguard just do its thing, but I'm getting more proactive now, and am about to register ..finally.. :)

Roll on WG4!

{QUOTE-> quoting: kyte link=board=6;threadid=4196;start=0#33198 date=1038023027]
I have taken the list above, and added to it from the symantec site (just that first page, there are so many, the txt file could get really cumbersome). I have attached the file itself rather than listing it in the body of this post, save it in a temp dir if you want to look it over.
.......snipped <-QUOTE}
Thanks Kyte. ;D Nice list you compiled. I am now the one to be taking a list from someone else, lol...

thanks again... 8)

Well done Kyte! Thanks!!!

No worries!

I guess the thing to remember is that there are thousands of trojans, worms etc and their variants, a person could get carried away adding stuff. Thank god for heuristics and TDS3 as well :)

bumping this one up..

has anyone continued to add to the database we began here? I was wondering if WG will slow down if too many worm names are added...??

heres some from July/august from the Symantec site. I checked for dupes and got some but maybe not all

W32.Blaster.Worm
W32/Lovsan.worm
Win32.Poza
Lovsan
WORM_MSBLAST.A
W32/Blaster-A
W32/Blaster
Backdoor.WinShell.50.b
BackDoor-TC
PWSteal.Pport
W32.Bacterra.Worm
Worm.P2P.Bacterra.a
VBS.DDV.B
PWSteal.Lemir.B
PWS-Organer
W32.Mant.Worm
Worm.P2P.Milcan , W32/Milcan.worm!p2p
BAT.Rous.worm
I-Worm.Rous.A
W32.HLLW.Moega
Backdoor.Sdbot.gen
W32.HLLW.Antinny
Backdoor.OptixPro.12.c
Backdoor.Optix.Pro.12
Backdoor.Optix.1_2
BackDoor-ACH
W32.Sowsat.C@mm
Backdoor.IRC.Flood.G
W32.Nuffy.A
W32.Nuf.A
Worm.Win32.Nuf
W32.HLLW.Tofaced
W32.Sowsat.B@mm
I-Worm.Sowsat.f
Trojan.Stealther.B
Trojan.Stealther
Trojan.Win32.Stealther
Backdoor.WinShell.50
Backdoor.Winshell.50
BackDoor-TC
Backdoor.Sdbot.N
Backdoor.SdBot.gen
W32.HLLW.Niklas
Worm.P2P.Niklas
W32/MScr.worm!p2p
W32.Kergez.A@mm
I-Worm.Kergez
Backdoor.Hale
BackDoor-ATM.dr
Backdoor.Lala.C
BackDoor-YQ
Backdoor.Beasty.dr
TrojanDropper.Win32.Yabinder.a
Multidropper-CQ trojan
Backdoor.IRC.Flood.F
Downloader.Mimail
W97M.Anumps.A
Backdoor.IRC.Cirebot
Win32.RPC.A
Worm.Win32.Autorooter.a
Backdoor.IRCBot.gen
Exploit.Win32.DCom.b
Downloader-DM
W32/Lolol.worm.gen
Exploit-DcomRpc
Backdoor.Sumtax
W32.Mimail.A@mm
WORM_MIMAIL.A
W32/Mimail@MM
Win32.Mimail.A
W32/Mimail-A
I-Worm.Mimail
PWSteal.Bancos.B
Backdoor.FTPserver
Backdoor.Roxy
Backdoor.Trojan
W32/Slanper.worm
Worm.Win32.Randex.d
W32.HLLW.Gotorm
Backdoor.Beasty.G
Backdoor.BeastDoor.200.a
BackDoor-AMQ
Backdoor.Fxsvc
Backdoor.Fxsvc.02
Backdoor-AQK
W32.Upering.Worm
Trojan.AOL.Annoyer.b
W32/Sany.worm
W32.Simic.Worm
I-Worm.Sinmsn
Backdoor.Nibu
VBS.Bingd@mm
Trojan.VBS.NoExp
VBS/Generic@MM
W32.HLLW.Huntocx
Backdoor.Lala.B
BackDoor-AOT
W32.Tzet.Worm
W32.Lorsis.Worm
BAT.Boohoo.Worm
Trojan.OptixKiller
Backdoor.Optix
OptixKiller
Trojan.Win32.OptixKill.30
Backdoor.IRC.PSK
BackDoor-AXU
Download.Trojan.PSK
Downloader-DK
Trojan.Progent
Trojan.Spy.ProAgent.121
W32.Earlybird@mm
I-Worm.Wormex
W32.Babybear.int
W32.Liamed@mm
W97M.Acus.A
WM97/Vmpck1-DV
W97M/VMPCK.gen
Macro.Word97.VMPC-based
W97M.Tooth
Macro.Word97.Intended.Toothpaste
W97M/Tooth.A
W97M_TOOTHPASTE
W97M/Tooth.A
WM97/Toothpaste
W32.Spybot.dr
W97M.Kazoy
Macro.Word97.Yozak.b
WM97/Yozak-B
W97M/Yozak.B
W97M.Bench.G
Macro.Word97.Skyline
W97M/Skyline.A
W97M/Bench.C
W97M_BENCH.F
W97M/Bencg.gen
W32.Babybear@mm
Trojan.Visages
Trojan.Ailati
Haver.1309
Backdoor.Netdevil.15
W32.Lohack.C.Worm
I-Worm.Lohack.c
W32.Nogrov@mm
W32.Enegg@mm
BAT.Wimpey.dr
VBS.Wimpey@mm
PWSteal.Bancos
W32.HLLW.Symten@mm
Bloodhound.W32.VBWORM
I-Worm.Symten.b
VBS.Renegy
VBS.Dasbud.int
VBS/Dasbud.intd
Backdoor.Uzbet
TrojanProxy.Win32.Uzbet
W32.HLLW.Indor.E@mm
W32.Jantic.F@mm
Backdoor.Berbew
Troj/Webber-A
BackDoor-AXJ
TrojanProxy.Win32.Webber.10
Trojan.Download.Berbew
Downloader-DI
W32.HLLP.Conut@mm
W32/Coconut-A
I-Worm.Conut
W32.Femot.D.Worm
W32/MoFei.worm
WORM_MOFEI.D
W32/Mofei-B
Worm.Win32.Mofeir.c
Backdoor.Winker
Backdoor.Winker.f
W32.Lofni.Worm
W32.Lohack.B.Worm
W32/Noala@MM
W32.Gruel@mm
Backdoor.WinJank
Backdoor.Migmaf
Proxy-Migmaf
W32.HLLW.Niden
W32.Jantic.B@mm
I-Worm.generic
W32/Generic.a@MM
W32.HLLW.Redist.C@mm
W32/Gant.gen@MM
W32.Moubot
W32.HLLW.Warpigs
W32.HLLW.Warpigs.B
W32.Jantic@mm
W32.Sadon.dr
W95/Sadon
Win32.Mudant.887
W32/Muttant.867
W32.Zokrim.V@mm
W32.Laorenshen.Trojan
Keylogger.Cone.Trojan
Keylog-Perfect.dr
KeyLogger.Win32.PerfectKeyLogger.141
Trojan.Sarka
W32.Sadon.867
W32.MutantQSix


cheers
sue

WG doesn't look for a worm's name but for malicious code, so you need the working file name, like MSBLAST.EXE for the recent nasty (which i added immediately).
Quite a job you did, now the names.
If you have for instance a joke.exe and joke.com and joke.vbs you would have to add all three of them and if those would be part of a nasty named "imsocute" it's no use to add that name as wg wouldn't think nothing of that name. In WG4 we'll be able to use wildcards.

so.. W32.blaster.worm won't be found by WG? and the others also won't be found? may as well remove them all then :-/

oh well, i tried :)

what about the mimail thing which comes with an attachment message.zip.. should that be added rather than the mimail variants?

{QUOTE-> quoting: Gavin / DiamondCS link=board=6;threadid=4196;start=0#msg27484 date=1034673051]
The blocked list only goes by filename, if you wish you can continually add known worm filenames to this list - if the worm uses fixed filenames. Wormguard should still detect a lot of threats automatically, but where possible adding to this list will always be a good idea :)

And yes, Wormguard 4 will have an easy update option to do everything for you.
<-QUOTE}

See again Gavin's reply.

Yeah I did. Ive been on the hunt at the symantec site for the known names of files and have added a few of those, particularly relating to new or revised threats, i'll wade through most of it sooner or later i guess.

TEEKIDS.EXE Don't forget to add this name for the new modified variant of the blaster worm and you're uptodate again for a few moments :)

I don't understand adding all those names. If it wrong code it will be stopped anyway. It only can slow things down.
And who cares whether WG will stop it once or twice ;)
Just my opinion
Dolf

I see Gavin's reaction which i quoted again above.
If the update and adding names to the list was a bad idea, why add it as a new feature to WG4 then?

IMHO These new worms are not really worms but "Vulnerability Exploitation Programmes" VEP's? :D so will not have normal worm oe virus like patterns.
As these VEP's become more sophisticated then regular database udates for WG4 will become more & more necessary.

Jooske: thanks for the teekids.exe update, I havent had a chance to check anymore in the last day or so.

{QUOTE-> quoting: Jooske link=board=6;threadid=4196;start=15#msg79721 date=1060800059]
.....why add it as a new feature to WG4 then?
<-QUOTE}
If users ask for a feature, why NOT add it, but does that make it really more functional?
It's the same as with TDS. Why should it detect a Trojan simulator. Does it make TDS a better AT?
In this case, when starting every program, WG has to go trough that list.
{QUOTE-> quoting: Pilli link=board=6;threadid=4196;start=15#msg79761 date=1060808342]
IMHO These new worms are not really worms but "Vulnerability Exploitation Programmes" VEP's? :D so will not have normal worm oe virus like patterns.
As these VEP's become more sophisticated then regular database udates for WG4 will become more & more necessary.
<-QUOTE}
If they are not worms, they should be detected by other means. Having to add data to a list manually, is not my definition of a well guarded system.
So in this case, I don't agree with Gavin ;D
But again, just my opinion
Dolf.

The Teekids.exe update info had just come into my email a few minutes before i posted it here immediately.
I don't know if the mass Ddos attack 16 august on the microsoft sites is just a hoax or really planned and i'm not interested to take part in that, so i added those two nasties.

The feature for manually adding nasties to the block list we have already, i think to remember in the WG4 there will be update lists so it would be a press on the button or maybe even automated to be updated.

{QUOTE-> quoting: Jooske link=board=6;threadid=4196;start=15#msg79909 date=1060839450]
.... and i'm not interested to take part in that, so i added those two nasties.
<-QUOTE}

I have a firewall for that ;D

My first Virus/Worm will be called Setup.exe, hoping it will be added to the blocked-file list ;D
Dolf

Long ago i had an email with an automatic download which just started without me asking permission. I don't remember if that was a nasty or legal file, but i felt very uncomfortable. After we got all kinds of patches and security updates from windows, IE, OE, closing the one vulnerability after the other and more. In those days a command given on the pc for something outbound was not stopped by the firewalls properly, we had besides all those security updates to learn to block outbound traffic too with our firewalls and whatever there is.
Long long ago i noticed strange traffic or probes to use my system as a proxy or routing traffic on or via my system, so i was really happy that with the newer versions of the fw i use it is now finally possible to put security on highest.
And there are more ports i blocked for inbound plus outbound traffic, like there are for this current blazer thing ports 69, 135, 445, 4444. So adding the names of the nasty and a new variant is just a small thing to do.
One never knows if there is any new vulnerability used which is not patched away yet and i do like a layered security.
Indeed, on some forums i saw rather rude comments that one must be really stupid to be caught by this one, not having updated and no firewall, but don't underestimate the trojan/worm coders.

{QUOTE-> quoting: Jooske link=board=6;threadid=4196;start=15#msg79914 date=1060841251]
... but don't underestimate the trojan/worm coders.
<-QUOTE}
I don't....
that's why I think a blocked-file list is next to useless

:) Here are a few more to add to the list altho' there may be duplications: Copied from the Sophos site.


WORM_WUKILL.A
WORM_TZET.A
WORM_SPYBOT.GEN
WORM_SOBIG.E Medium
WORM_SOBIG.D
WORM_SOBIG.C
WORM_SOBIG.B
WORM_SCORVAN.A
WORM_SAGE.A
WORM_SACHIEL.F
WORM_RPCSDBOT.A
WORM_RANDEX.D
WORM_RANDEX.C
WORM_NOFER.C
WORM_NACO.D
WORM_NACO.B
WORM_MYLIFE.M
WORM_MUMU.B
WORM_MSBLAST.GEN
WORM_MSBLAST.C
WORM_MSBLAST.B
WORM_MSBLAST.A
WORM_MOFEI.C
WORM_MOFEI.B
WORM_MOFEI.A
WORM_MIMAIL.A
WORM_MELARE.A
WORM_MAPSON.A
WORM_MAAX.B
WORM_KLEXE.A
WORM_KIRBO.A
WORM_JANTIC.F
WORM_JANTIC.B
WORM_ISRAZ.A
WORM_GRUEL.H
WORM_GRUEL.E
WORM_GRUEL.D
WORM_GANT.C
WORM_GANT.B
WORM_FRANRIV.A
WORM_DUKSTEN.O
WORM_CROCK.A
WORM_COLEVO.A
WORM_BACKZAT.A
WORM_AURIC.E
WORM_AURIC.C
WORM_AURIC.B
WORM_AURIC.A
WORM_AINJO.E
TROJ_SYSTRIM.A
TROJ_MSBLAST.DRP
TROJ_MIGMAF.A
RPC DCOM BUFFER OVERFLOW
PE_VOTE.E Low
PE_NIMDA.L Low
PE_NACO.F Low
PE_LOVGATE.M
PE_LOVGATE.L
PE_CONUT.A Low
PE_BUGBEAR.DAM
PE_BUGBEAR.B
ELF_TYPOT.B
ELF_TYPOT.A
CISCO IOS VULNERABILITY
BKDR_LITH.103.A
BKDR_CIREBOT.B
BKDR_CIREBOT.A
BAT_FORCA.C Low

Top threats:
1. WORM_FRIENDGRT.B
2. WORM_KLEZ.H
3. WORM_LOVGATE.F
4. WORM_MSBLAST.A
5. WORM_MIMAIL.A
6. TROJ_HACLINE.A
7. PE_PARITE.A
8. WORM_YAHA.P
9. WORM_LOVGATE.G
10. WORM_YAHA.G

WG cannot do anything with that list.
It is expecting executable filenames
Dolf

Hi Peaches,
Thank you, lots of work! Did you find the executable filenames from those too?
Like i did for the blazer the msblaster.exe and teekids.exe for instance, and in cases we know a nasty drops or creates filenames to include those too.
Not that it is all necessary, WG looks for malicious code anyway, but as Pilli explained the file can seem very legitime and be used for some exploit/vulnerability so blocking that innocent looking file would be great too, i guess, although they won't be able to do anything bad if their nasty brother is blocked already, let's hope for that!
I'm sure Gavin/Jason will correct us if we're wrong.

And remember TDS exec protection does block too what is on it's path to block, so those trojans in your list will be among them as they are in the references.