worm ss-3, dwarf.b??

Discussion in 'Trojan Defence Suite' started by marti, Mar 25, 2002.

Thread Status:
Not open for further replies.
  1. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    Don't laugh guys, but I just finished a very scary detective novel.  They were tracking a computer cracker who started killing folks.   I downloaded the evaluation copy of TDS and found some suspicious files:  it didn't like some of my unusual file names.   :D

    However, TDS also decided that a DOS help file, written in Qbasic was a worm.  

    File Trace: Default trojan filename: Worm.SS-3 (Dwarf.b)
     File: C:\help.com

    It's a valid file and works as it's supposed to.  Any advise here?  (Other than stop reading scary novels. :D)

    thanks,
    marti
     
  2. SPY

    SPY Guest

    I would scan the file with TrojanHunter, and see what/ if anything is reported. A second opinion never hurts.
     
  3. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    I downloaded the evaulation copy of Trojan Hunter -- it didn't find any suspicious files.

    I forgot to mention in my initial post that I have the purchased version of Pest Patrol.  PP has never found any suspicious files (I purchased it in August 2001).

    marti
     
  4. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Hi Marty,
    "Default trojan filename" with File Trace scanning means that it has simply found the presence of a filename that is known to be used only by a particular trojan. The SS-3 worm (which incidently has nothing to do with SS3 scripts) installs to c:\help.com (hard-coded), and is several years old but we've never had any other reports of c:\help.com existing (what's it doing in your root directory for starters? :)), so it's probably a good thing that it was detected. If it was the SS-3 Worm you would have also seen at least one other alarm - a positive identification.

    Best regards,
    Wayne
     
  5. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    Hi Wayne,

    I knew that it was not a worm/trojan, but was curious as to what your program found.

    The DOS help files are in the root directory because that's where they are supposed to be.  :D  

    thanks,
    marti
     
  6. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    I updated to the latest ref files this morning.  It does not find the "File Trace: Default trojan filename: Worm.SS-3 (Dwarf.b)  
     File: C:\help.com"

    However, it still does not like my valid file name of xxx.bat.pif.  :D

    marti

     
     
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    WormGuard would probably jump on that one too for various reasons.
    Good to be warned.
     
  8. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    JooskeJooskeRe: worm ss-3, dwarf.b??

    Hi Jooske,

    It's nice to be warned about a suspicious file.  However, the xxx.bat.pif file is a valid file and one that I created.  There does not seem to be a way to ignore certain files that show up during each scan.

    thanks,
    marti
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    TDS has scan options to exclude directories and sub directories, maybe you can do some with that? Although i prefer scanning all and i remember some finds from former times.
     
  10. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    Yes, I found that.  However, the file in question is in the send-to folder within the Win98SE directory.  I'm looking for a way to exclude unique files, without excluding the entire directory.

    marti
     
Thread Status:
Not open for further replies.