eDexter contains worm?

Discussion in 'WormGuard' started by Q Section, Apr 18, 2003.

Thread Status:
Not open for further replies.
  1. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    Greetings Everyone

    We just installed a new application called eDexter found here: http://www.accs-net.com/hosts/eDexter.html
    Immediately WormGuard caught it as possibly having a worm. This is supposed to be an anti-adware application which takes the place of ad images on pages. Is this a false positive or does it have a worm?

    Thank you for your help.

    HMSS Q Section
     
  2. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    I can hardly believe eDexter contains a worm. It seems that either EDexter activities are suspect to WormGuard, or that there are suspect patterns.

    Do you have any other AV-tool to check again?
     
  3. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    Hello
    We also checked the file with Spybot S&D, Ad-Aware 6, Gladiator AV and NOD32 and they all came up negative. So possibly this is a false positive? When prompted wormGuard put the files in question in quarantine. Not all eDexter files landed there - only these 2 - edexter.exe.ANALYSIS.TXT and edexter.exe.TXT. A worm expert needs to advise as we are not as studied in this department.

    Thank you.

    HMSS Q Section
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    My guess is the double extensions set WormGuard off.

    From: http://wormguard.diamondcs.com.au/index.php?page=features
    Hiding intentions through multiple extensions is interpreted as suspect behaviour.

    Regards,

    Pieter
     
  5. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    Our testing computers are game so we will get the files out of quarantine and try it. We will post results here soon.
    Thank you.

    HMSS Q Section
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    I don't think you will have any problems. :)

    Regards,

    Pieter
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Qsection, Almost certainly a false positive on the double extentions.
    WG will even pick up quite innocent words in email such as I have a bad throat caused by a "viral infection" but this is not usually a problem as you can preview the text without opening the file, once previewed one can normally make a good judgement of the files credibility. This maybe a little over cautious but it is better to be safe than sorry :D

    HTH Pilli
     
  8. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    Thanks and so far no problems. BTW - Is it not WormGuard that places the TXT suffix on an EXE file to prevent execution upon placement in quarantine?

    Thanks again

    HMSS Q Section
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Qsection, To be honest I am not quite sure. I have WG set to ask me before allowing/disallowing a suspect file to run & as yet have never had one quaranteened. Reading through the help file does not help unless I have missed something. :rolleyes:
    The only other thing that may have caused this, as far as I can see, is if you have disallowed .exe extention in the WG setup?
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi all,
    WG is not placing extra TXT to make a file un-executable.
    In the safe mode you can look in the file content if there is anything suspicious.
    My guess it is the double extensions WG is alerting on and telling it could be a mild alert and the real extension is exe or txt .. whatever........
    If it's a high security risk it will be displayed like that.
    So always watch the alert message, they really differ :)


    If you would disallow all EXEs not any program will run without alert so i don't think you really would like to configure that!
     
  11. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks Jooske, I guessed that was so as re-reading the help files the DCS WG help etc. there was no mention of adding an extention to any errant files.

    I am wondering though if any other security programme may do such a thing?

    My point about the adding of .exe extentions was aimed at over zealous use of the disallow function :D
     
Thread Status:
Not open for further replies.