question re wormguard database

Discussion in 'WormGuard' started by Tassie_Devils, Oct 15, 2002.

Thread Status:
Not open for further replies.
  1. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    I have a question regarding the WG database.

    What I mean is, do I have to keep adding the actual threats into the "Blocked List", or does WG 'know' what a worm is, etc. and just does it's job.

    Do I have to like update like an Anti-virus program or not.

    If so, is there an actual list I can grab or copy instead of having to hit "Add" each and every time I want to add a threat?

    any comments appreciated.

    Cheers, Tas
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Tassie_Devils :D
    No database to edit or actualise, as it's blocking worms and nasties in other ways of detection.
    The blocked items list is a personal choice: if you decide you don't have any scripts running you could add .vbs or not any exe the .exe but i am sure your system would become unworkable with that, so i mean the choices of what to add depends on personal situations.
    Hope others jump in with better specific explanation in this area.

    The only needed update will be soon the next version to WG4!
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    The blocked list only goes by filename, if you wish you can continually add known worm filenames to this list - if the worm uses fixed filenames. Wormguard should still detect a lot of threats automatically, but where possible adding to this list will always be a good idea :)

    And yes, Wormguard 4 will have an easy update option to do everything for you.
     
  4. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi Jooske/Gavin

    I thought as much, and that's what I have been doing, but it was just that it's been quite a while since I did anything with WG, leaving it to it's own devices so to speak.

    I personally had already added some of the files already suggested by Jooske in the blocked filetypes side quite a while ago, and now I have just added a few of the latest worms doing the rounds in the blocked filenames section.

    Thanks for the responses, guys, appreciated.
    Cheers, Tas.
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks! For other readers: the file extentions is the left edit window, the complete file names in the right window.
    True, WG comes with several preconfigured names like loveletter with several extentions and several more, i did not try out files with complete paths, while wildcards are not possible. I know even without updating WG has other ways of stopping nasties, but of course like Gavin says it is always a good idea to add some specific fixed names.
     
  6. average Joe

    average Joe Registered Member

    Joined:
    Oct 26, 2002
    Posts:
    7
    Good question Tas, I was going to ask this also.

    So, can anyone direct me to a site that lists current worms and their filenames? Or would anyone post the ones they have added? I think it would be a big help to us less informed.

    Also, would anyone be interested in keeping a running thread listing worms they have added? As new worms appear they could be added to the list. This would hold us over until Wormguard 4, with the update feature, is out.

    Thanks!
     
  7. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    average joe:

    Hi: here is list of what I put in.....

    easy way to add is to go to your wormguard folder, then open up the text file "lockfile.txt" SAVE IT TO DESKTOP FIRST AS BACK UP.

    Then delete all of the files in there then copy this list [contains the original list you got then some more I added].

    Then RESAVE it back into the Wormguard FOLDER.
    Open up Wormguard, check the blocked filenames list and whalla! You should have all the new entries.

    Here is the list:

    DECRYPT-PASSWORD.EXE
    dwarf4you.exe
    explorer.doc
    GONE.SCR
    happy99.exe
    irok.exe
    joke.exe
    life_stages.txt.shs
    links.vbs
    love-letter-for-you.htm
    love-letter-for-you.txt.vbs
    midgets.scr
    movie.avi.pif
    network.vbs
    PASSWORD.TXT
    PE_ELKERN.D
    pretty park.exe
    prettypark.exe
    sexy virgin.scr
    south park.exe
    tune.vbs
    VBS_LOVELETTR.AS
    VBS_REDLOF.A
    W32.FRETHEM.E@MM
    W32/FLEMING.WORM
    W97M_MARKER.GO-1
    WORM_BUGBEAR.A
    WORM_KLEZ.H
    WWW..FREEDESKTOPTHEMES*.*
    xpass.xls
    zipped_files.exe
    PE_SPACES.1445
    PE_NIMDA.E
    JS_NIMDA.A
    VBS_LOVELETTR.AS
    W97M_MARKER.GO-1
    PE_CIH.1003
    PE_FUNLOVE.4099

    I added the current Top 10 worms as outlined by TrendMicro.

    cheers, tas

    edit: PS: If anyone has more, PLEEEESE feel free to post here so we can add them also.....

    I had edited out some numbers at end of list thinking they were the numbers of detections, but upon reading Trend's email, those numbers form part of the worm, so if any has already copied, just redo it pleese. Sorry.
     
  8. average Joe

    average Joe Registered Member

    Joined:
    Oct 26, 2002
    Posts:
    7
    Thanks very much Tas!

    I also found this up to date list at Symantec:

    http://securityresponse.symantec.com/avcenter/vinfodb.html

    But I have a question on which filename to add. For an example, about 6th on the list is W32.HLLW.Amazex. It also says that KAV calls it Worm.P2P.Amazex and Trend calls it TROJ_ANALA.A. So which is the real filename that we should add? And not just for this example but for any on that list.

    If anyone can answer this it would be much appreciated.

    average Joe
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Average_Joe,
    would add them all to be sure, like you see in the "loveletter" file names too. In TDS-4 we hope for wildcards possibilities, to ease the adding.
     
  10. average Joe

    average Joe Registered Member

    Joined:
    Oct 26, 2002
    Posts:
    7
    Thanks Jooske!

    In the example above I mistakenly thought that there was the worm's real filename, "whatever.exe", and that each AV company just gave it their own label. So I was looking for that "real" filename.

    But then I'm just your average Joe. :)

    I'll just add all the names that's easy enough. But I'm looking forward to Wormguard 4.

    Thanks again!
     
  11. kyte

    kyte Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    25
    Location:
    Australia
    I have taken the list above, and added to it from the symantec site (just that first page, there are so many, the txt file could get really cumbersome). I have attached the file itself rather than listing it in the body of this post, save it in a temp dir if you want to look it over.

    I too had been tending to let wormguard just do its thing, but I'm getting more proactive now, and am about to register ..finally.. :)

    Roll on WG4!
     

    Attached Files:

  12. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Thanks Kyte. :D Nice list you compiled. I am now the one to be taking a list from someone else, lol...

    thanks again... :cool:
     
  13. average Joe

    average Joe Registered Member

    Joined:
    Oct 26, 2002
    Posts:
    7
    Well done Kyte! Thanks!!!
     
  14. kyte

    kyte Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    25
    Location:
    Australia
    No worries!

    I guess the thing to remember is that there are thousands of trojans, worms etc and their variants, a person could get carried away adding stuff. Thank god for heuristics and TDS3 as well :)
     
  15. kyte

    kyte Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    25
    Location:
    Australia
    bumping this one up..

    has anyone continued to add to the database we began here? I was wondering if WG will slow down if too many worm names are added...??

    heres some from July/august from the Symantec site. I checked for dupes and got some but maybe not all

    W32.Blaster.Worm
    W32/Lovsan.worm
    Win32.Poza
    Lovsan
    WORM_MSBLAST.A
    W32/Blaster-A
    W32/Blaster
    Backdoor.WinShell.50.b
    BackDoor-TC
    PWSteal.Pport
    W32.Bacterra.Worm
    Worm.P2P.Bacterra.a
    VBS.DDV.B
    PWSteal.Lemir.B
    PWS-Organer
    W32.Mant.Worm
    Worm.P2P.Milcan , W32/Milcan.worm!p2p
    BAT.Rous.worm
    I-Worm.Rous.A
    W32.HLLW.Moega
    Backdoor.Sdbot.gen
    W32.HLLW.Antinny
    Backdoor.OptixPro.12.c
    Backdoor.Optix.Pro.12
    Backdoor.Optix.1_2
    BackDoor-ACH
    W32.Sowsat.C@mm
    Backdoor.IRC.Flood.G
    W32.Nuffy.A
    W32.Nuf.A
    Worm.Win32.Nuf
    W32.HLLW.Tofaced
    W32.Sowsat.B@mm
    I-Worm.Sowsat.f
    Trojan.Stealther.B
    Trojan.Stealther
    Trojan.Win32.Stealther
    Backdoor.WinShell.50
    Backdoor.Winshell.50
    BackDoor-TC
    Backdoor.Sdbot.N
    Backdoor.SdBot.gen
    W32.HLLW.Niklas
    Worm.P2P.Niklas
    W32/MScr.worm!p2p
    W32.Kergez.A@mm
    I-Worm.Kergez
    Backdoor.Hale
    BackDoor-ATM.dr
    Backdoor.Lala.C
    BackDoor-YQ
    Backdoor.Beasty.dr
    TrojanDropper.Win32.Yabinder.a
    Multidropper-CQ trojan
    Backdoor.IRC.Flood.F
    Downloader.Mimail
    W97M.Anumps.A
    Backdoor.IRC.Cirebot
    Win32.RPC.A
    Worm.Win32.Autorooter.a
    Backdoor.IRCBot.gen
    Exploit.Win32.DCom.b
    Downloader-DM
    W32/Lolol.worm.gen
    Exploit-DcomRpc
    Backdoor.Sumtax
    W32.Mimail.A@mm
    WORM_MIMAIL.A
    W32/Mimail@MM
    Win32.Mimail.A
    W32/Mimail-A
    I-Worm.Mimail
    PWSteal.Bancos.B
    Backdoor.FTPserver
    Backdoor.Roxy
    Backdoor.Trojan
    W32/Slanper.worm
    Worm.Win32.Randex.d
    W32.HLLW.Gotorm
    Backdoor.Beasty.G
    Backdoor.BeastDoor.200.a
    BackDoor-AMQ
    Backdoor.Fxsvc
    Backdoor.Fxsvc.02
    Backdoor-AQK
    W32.Upering.Worm
    Trojan.AOL.Annoyer.b
    W32/Sany.worm
    W32.Simic.Worm
    I-Worm.Sinmsn
    Backdoor.Nibu
    VBS.Bingd@mm
    Trojan.VBS.NoExp
    VBS/Generic@MM
    W32.HLLW.Huntocx
    Backdoor.Lala.B
    BackDoor-AOT
    W32.Tzet.Worm
    W32.Lorsis.Worm
    BAT.Boohoo.Worm
    Trojan.OptixKiller
    Backdoor.Optix
    OptixKiller
    Trojan.Win32.OptixKill.30
    Backdoor.IRC.PSK
    BackDoor-AXU
    Download.Trojan.PSK
    Downloader-DK
    Trojan.Progent
    Trojan.Spy.ProAgent.121
    W32.Earlybird@mm
    I-Worm.Wormex
    W32.Babybear.int
    W32.Liamed@mm
    W97M.Acus.A
    WM97/Vmpck1-DV
    W97M/VMPCK.gen
    Macro.Word97.VMPC-based
    W97M.Tooth
    Macro.Word97.Intended.Toothpaste
    W97M/Tooth.A
    W97M_TOOTHPASTE
    W97M/Tooth.A
    WM97/Toothpaste
    W32.Spybot.dr
    W97M.Kazoy
    Macro.Word97.Yozak.b
    WM97/Yozak-B
    W97M/Yozak.B
    W97M.Bench.G
    Macro.Word97.Skyline
    W97M/Skyline.A
    W97M/Bench.C
    W97M_BENCH.F
    W97M/Bencg.gen
    W32.Babybear@mm
    Trojan.Visages
    Trojan.Ailati
    Haver.1309
    Backdoor.Netdevil.15
    W32.Lohack.C.Worm
    I-Worm.Lohack.c
    W32.Nogrov@mm
    W32.Enegg@mm
    BAT.Wimpey.dr
    VBS.Wimpey@mm
    PWSteal.Bancos
    W32.HLLW.Symten@mm
    Bloodhound.W32.VBWORM
    I-Worm.Symten.b
    VBS.Renegy
    VBS.Dasbud.int
    VBS/Dasbud.intd
    Backdoor.Uzbet
    TrojanProxy.Win32.Uzbet
    W32.HLLW.Indor.E@mm
    W32.Jantic.F@mm
    Backdoor.Berbew
    Troj/Webber-A
    BackDoor-AXJ
    TrojanProxy.Win32.Webber.10
    Trojan.Download.Berbew
    Downloader-DI
    W32.HLLP.Conut@mm
    W32/Coconut-A
    I-Worm.Conut
    W32.Femot.D.Worm
    W32/MoFei.worm
    WORM_MOFEI.D
    W32/Mofei-B
    Worm.Win32.Mofeir.c
    Backdoor.Winker
    Backdoor.Winker.f
    W32.Lofni.Worm
    W32.Lohack.B.Worm
    W32/Noala@MM
    W32.Gruel@mm
    Backdoor.WinJank
    Backdoor.Migmaf
    Proxy-Migmaf
    W32.HLLW.Niden
    W32.Jantic.B@mm
    I-Worm.generic
    W32/Generic.a@MM
    W32.HLLW.Redist.C@mm
    W32/Gant.gen@MM
    W32.Moubot
    W32.HLLW.Warpigs
    W32.HLLW.Warpigs.B
    W32.Jantic@mm
    W32.Sadon.dr
    W95/Sadon
    Win32.Mudant.887
    W32/Muttant.867
    W32.Zokrim.V@mm
    W32.Laorenshen.Trojan
    Keylogger.Cone.Trojan
    Keylog-Perfect.dr
    KeyLogger.Win32.PerfectKeyLogger.141
    Trojan.Sarka
    W32.Sadon.867
    W32.MutantQSix


    cheers
    sue
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    WG doesn't look for a worm's name but for malicious code, so you need the working file name, like MSBLAST.EXE for the recent nasty (which i added immediately).
    Quite a job you did, now the names.
    If you have for instance a joke.exe and joke.com and joke.vbs you would have to add all three of them and if those would be part of a nasty named "imsocute" it's no use to add that name as wg wouldn't think nothing of that name. In WG4 we'll be able to use wildcards.
     
  17. kyte

    kyte Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    25
    Location:
    Australia
    so.. W32.blaster.worm won't be found by WG? and the others also won't be found? may as well remove them all then :-/

    oh well, i tried :)

    what about the mimail thing which comes with an attachment message.zip.. should that be added rather than the mimail variants?
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    See again Gavin's reply.
     
  19. kyte

    kyte Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    25
    Location:
    Australia
    Yeah I did. Ive been on the hunt at the symantec site for the known names of files and have added a few of those, particularly relating to new or revised threats, i'll wade through most of it sooner or later i guess.
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    TEEKIDS.EXE Don't forget to add this name for the new modified variant of the blaster worm and you're uptodate again for a few moments :)
     
  21. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    I don't understand adding all those names. If it wrong code it will be stopped anyway. It only can slow things down.
    And who cares whether WG will stop it once or twice ;)
    Just my opinion
    Dolf
     
  22. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I see Gavin's reaction which i quoted again above.
    If the update and adding names to the list was a bad idea, why add it as a new feature to WG4 then?
     
  23. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    IMHO These new worms are not really worms but "Vulnerability Exploitation Programmes" VEP's? :D so will not have normal worm oe virus like patterns.
    As these VEP's become more sophisticated then regular database udates for WG4 will become more & more necessary.
     
  24. kyte

    kyte Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    25
    Location:
    Australia
    Jooske: thanks for the teekids.exe update, I havent had a chance to check anymore in the last day or so.
     
  25. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    If users ask for a feature, why NOT add it, but does that make it really more functional?
    It's the same as with TDS. Why should it detect a Trojan simulator. Does it make TDS a better AT?
    In this case, when starting every program, WG has to go trough that list.
    If they are not worms, they should be detected by other means. Having to add data to a list manually, is not my definition of a well guarded system.
    So in this case, I don't agree with Gavin :D
    But again, just my opinion
    Dolf.
     
Thread Status:
Not open for further replies.