WormGuard & Stone Soup

Discussion in 'WormGuard' started by darksky, Jan 16, 2003.

Thread Status:
Not open for further replies.
  1. darksky

    darksky Registered Member

    Joined:
    Jan 13, 2003
    Posts:
    33
    Ever hear the story about "stone soup". (If not, or just for a fun refresher read it at the bottom of this message).

    I thought it might be fun to start a "stone soup" with WormGuard.

    I've taken the included items from the Block List Editor area (which of course is lockfile.txt and added a bunch more "nasty's"). I've endeavored to keep all the original entries and added a whole lot more (check me for accuracy of course prior to using, i.e. use at your own risk).

    To use, simply cut & paste the list below into notepad and save it as lockfile.txt in your WormGuard directory and you should have a much more powerful list of "nasty's" to block. (be sure to rename and save your orginal lockfile.txt file).

    Of course this WormGuard "soup" would be even more wonderful with a few other "nasty's" added in. Perhaps you can come up with a few I've left out and expand the list? :) Feel free to add anything else you can think of...

    H E R E ' S T H E "S O U P" - E N J O Y !!! (I'm using a BIG STONE)

    ants3set.exe
    BACKDOOR.AMITIS
    BACKDOOR.AMITIS.12
    BACKDOOR.ASSASIN.11
    BACKDOOR.ASSASIN.D
    BACKDOOR.COLFUSER
    BACKDOOR.COW
    BACKDOOR.CYBSPY
    BACKDOOR.DEFTCODE
    BACKDOOR.DEFTCODE
    BACKDOOR.DRATOR
    BACKDOOR.HETHAT
    BACKDOOR.HORNET
    BACKDOOR.HORNET.10
    BACKDOOR.LALA
    BACKDOOR.LANFILTRATOR
    BACKDOOR.LANFILTRATOR.10
    BACKDOOR.NETDEVIL.B
    BACKDOOR.NETTROJAN
    BACKDOOR.OHPASS
    BACKDOOR.OICQSEARCH.165
    BACKDOOR.OICQSEARCH.17
    BACKDOOR.OICQSER.165
    BACKDOOR.OICQSER.17
    BACKDOOR.OPTIX.PRO.12
    BACKDOOR.OPTIXPRO.10.B
    BACKDOOR.OPTIXPRO.10.C
    BACKDOOR.REMOHAK.16
    BACKDOOR.REMOTESOB
    BACKDOOR.REMOTESOB.112
    BACKDOOR.REPHLEX
    BACKDOOR.REPHLEX.20
    BACKDOOR.SERVSAX
    BACKDOOR.SIXCA
    BACKDOOR.UPFUDOOR
    BACKDOOR.UPFUDOOR.10
    BACKDOOR.VAGRNOCKER
    BACKDOOR.VAGRNOCKER.12
    BACKDOOR.VB.CH
    BACKDOOR.VMZ
    BACKDOOR.WIN32/OICQSEARCH.1_65
    BACKDOOR.XENOZBOT
    BACKDOOR.XENOZBOT
    BACKDOOR:WIN32/OICQSEARCH.1_7
    BACKDOOR-ACH
    BACKDOOR-AMA
    BACKDOOR-ANF
    BadGirl.exe
    BKDR_SERVSAX.A
    blanca de nieve.exe
    BLOODHOUND.W32.VBWORM
    Boss Game.exe
    Boy and Girl.exe
    Cheat.exe
    Choose Games.exe
    Click Me.exe
    DECRYPT-PASSWORD.EXE
    DOWNLOADER-BN.B
    dwarf4you.exe
    enano porno.exe
    explorer.doc
    FTRAP
    GONE.SCR
    GoodGame.exe
    Happy New Year.exe
    Happy.exe
    happy99.exe
    irok.exe
    I-WORM.LENTIN.H
    I-WORM.LENTIN.I
    I-WORM.RECORY
    I-WORM.SYSNOM
    joke.exe
    JS.FIRSTPART
    JS.FRIST
    JS.SEEKER.J
    JS/FRIST.OW.DR
    JS_NIMDA.A
    Krnl132.exe
    life_stages.txt.shs
    links.vbs
    love-letter-for-you.htm
    love-letter-for-you.txt.vbs
    MACRO.WORD97.BLUFISH
    Make More Money.exe
    Merry.exe
    midgets.scr
    movie.avi.pif
    MP3.exe
    Music.exe
    My Letter.exe
    My Picture.exe
    My Resume.exe
    network.vbs
    NEW BACKDOOR1
    OPASERV.F
    PASSWORD.TXT
    PE_CIH.1003
    PE_ELKERN.D
    PE_FUNLOVE.4099
    PE_NIMDA.E
    PE_RUNDOOM.A
    PE_SPACES.1445
    PE_SUNDER.A
    PenHouse.exe
    PlayBoy.exe
    POLDO
    pretty park.exe
    prettypark.exe
    PWSTEAL.ALLIGHT
    PWSTEAL.RIMD
    Question.exe
    sample.exe
    scam32.exe
    Sex Picture.exe
    sexy virgin.scr
    sirc32.exe
    south park.exe
    TROJ/XENOZBOT
    TROJAN.DASMIN
    TROJAN.DOWNLOADER.CILE
    TROJAN.KKILLER
    TROJAN.POLDO
    TROJAN.PSW.ALLIGHT.20.A
    TROJAN.PSW.PLATAN.5.A
    TROJAN.UNBLOCKEE
    TROJAN.WIN32.DASMIN
    TROJAN.WIN32.KKILLER
    True or False.exe
    tune.vbs
    VBS.CELERON.B.WORM
    VBS.CELERON.WORM
    VBS.FIT.A
    VBS.GAGGLE.B@MM
    VBS.SYSNOM@MM
    VBS/GENERIC@MM
    VBS_LOVELETTR.AS
    VBS_LOVELETTR.AS
    VBS_REDLOF.A
    W32.BACKZAT.WORM
    W32.CAMPURF@MM
    W32.DUKSTEN.C@MM
    W32.DUKSTEN.D@MM
    W32.DUKSTEN.E@MM
    W32.ELERAD.5041
    W32.ELERAD.5041
    W32.EXPLOREZIP.L.WORM
    W32.FRETHEM.E@MM
    W32.FTRAP
    W32.HLLC.WARRAY
    W32.HLLW.BACKZAT.B
    W32.HLLW.BACKZAT.C
    W32.HLLW.GOP.F@MM
    W32.HLLW.LIOTEN
    W32.HLLW.PARVED
    W32.HLLW.PARVED
    W32.HLLW.SMELLES
    W32.HLLW.SODABOT
    W32.HLLW.STIQ
    W32.HLLW.WANGY@MM
    W32.HLLW.ZULE
    W32.JUNKCOMP
    W32.KWBOT.B.WORM
    W32.LIRVA.A@MM
    W32.LIRVA.C@MM
    W32.OPASERV.J.WORM
    W32.OPASERV.K.WORM
    W32.ORFINA@MM
    W32.PARVED
    W32.RECORY@MM
    W32.SOBIG.A@MM
    W32.TITOG.WORM
    W32.TULU
    W32.XILON.TROJAN
    W32.YAHA.H@MM
    W32.YAHA.J@MM
    W32.YAHA.K@MM
    W32.YAHA.L@MM
    W32.YAHA.M@MM
    W32/AVRIL-A
    W32/AVRIL-B
    W32/DUKSTEN@MM
    W32/EXPLOREZIP.E
    W32/EXPLOREZIP.WORM.210432
    W32/EXPLOREZIP.WORM@M
    W32/FLEMING.WORM
    W32/LIOTEN.WORM
    W32/LIOTEN-A
    W32/LIRVA.B@MM
    W32/OPASERV.WORM.M
    W32/OPASERV.WORM.N
    W32/OPASERV-H
    W32/OPASERV-I
    W32/OPASERV-L
    W32/PRESTIGE-A
    W32/RUNDOOM.WORM
    W32/SOBIG
    W32/TITOG.WORM
    W32/WARRAY.CMP
    W32/YAHA.J
    W32/YAHA.K
    W32/YAHA.M@MM
    W32/YAHA.M-MM
    W32/YAHA-J
    W32/YAHA-K
    W97M.BLUDUAG
    W97M.CIGA@MM
    W97M.KILLBOOT
    W97M_MARKER.GO-1
    W97M_MARKER.GO-1
    WIN32.BACKZAT.B
    WIN32.DEPRAVE
    WIN32.HLLW.ARCHEX
    WIN32.JUNKCOMP
    WIN32.LIOTEN
    WIN32.LIRVA.A
    WIN32.LIRVA.B
    WIN32.YAHA.K
    WIN32/ELERAD.4041
    WIN32/EXPLOREZIP.WORM
    WIN32/YAHA.K@MM
    winext.exe
    WORM.WIN32.LIOTEN
    WORM.WIN32.SMELLES
    WORM.WIN32.SMELLES
    WORM.ZIPPEDFILES.H
    WORM_BUGBEAR.A
    WORM_EXPLORZIP.M
    WORM_GOP.F
    WORM_KLEZ.H
    WORM_LIOTEN.A
    WORM_LIRVA.A
    WORM_LIRVA.C
    WORM_OPASERV.M
    WORM_PRESTIGE.A
    WORM_PRESTIGE.B
    WORM_RECORY.A
    WWW..FREEDESKTOPTHEMES*.*
    X97M.LAROUX.WM
    xpass.xls
    zipped_files.exe

    ________________________________________

    NOW, here's the Story of Stone Soup

    When the residents of a poor village see a young peddler driving his wagon into town, they quickly begin to hide their food under mattresses and haylofts, knowing that the boy will be hungry. "There's nothing to eat here," they cry from their windows, "best keep moving!"The boy calls back that he is not looking for food; in fact, he has everything he needs to make delicious stone soup for the entire village. In the town square, he pulls a cauldron from his wagon, fills it with water and starts a fire. Then, as the wary townspeople watch, the young peddler takes a stone from his pocket and drops it into the water.

    "Of course the soup would be even more wonderful with a bit of cabbage," the boy thinks aloud, and so one of the villagers runs home to find her hidden cabbage. "Salt beef would really make my soup a masterpiece," the boy adds, and another villager leaves the square and returns with a bit of beef.On it goes, with all of the villagers gradually adding to the delicious smelling soup until potatoes, carrots, onions and mushrooms have made the "stone soup," not just a meal, but a community feast. The evening ends with dancing and singing far into the night and the villagers show their gratitude to the wise young peddler by giving him a comfortable bed for the night at the mayor's
    house and thanking him for what he has taught them. "We shall never be hungry again," they call to him, "now that we know how to make soup from a stone!"
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Darksky, welcome here!
    Thanks for the stone soup story.
    You might like to look if the list here might have some more additions
    http://www.wilderssecurity.com/showthread.php?t=4196

    Do you have an informative website?
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi darksky,

    Many of those names are only going to slow down the scanning - virus trojan and worm names are not going to help in the blocking. The blocked list allows EXE names only in Wormguard 3, and blocks files of those names. I would suggest removing anything starting with

    VBS.
    TROJ.
    BACKDOOR.
    I-WORM.

    etc, most should be easy to spot :)
     
  4. darksky

    darksky Registered Member

    Joined:
    Jan 13, 2003
    Posts:
    33
    Hi Jooske - thank you for your welcome! Great to be here.

    Hello Gavin,

    Thanks for your reply.

    You stated that the blocked list only allows EXE names in WormGuard. I tested WormGuard with my modified list installed and attempted to run 3 non .EXE files:
    BACKDOOR.HETHAT
    W32.CAMPURF@MM
    VBS.GAGGLE.B@MM

    WormGuard responded by instantly blocking their execution with the following messages:

    WORMGUARD SECURITY WARNING -

    You have just executed a file that is not allowed to execute on this sytem. The file has been blocked from running. Please contact your system administrator for more information.

    As I do not have the actual files on my pc, I tested it simply by clicking start, run, then typing in those file names. Still, WormGuard responded instantly (less than 1/2 sec).

    I couldn't test an actual scan to see if there is a measureable slow down since I don't have a WORM on my pc.
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    I better correct that, and clarify what I meant :)

    Only real file NAMES are acceptable - so HELLO.VBS is valid as well. Any extension is possible ;)

    But adding names like BACKDOOR.HETHAT is useless, as this is a trojan name. A trojan would not be sent to you with that name, it wouldn't even be sent to you as SERVER.EXE. It would be named something that would be more appealing for a user to run.

    In fact, as .HETHAT is not executable, it wouldn't even run - it isn't a EXE COM BAT PIF SCR extension
     
  6. darksky

    darksky Registered Member

    Joined:
    Jan 13, 2003
    Posts:
    33
    Ahh, now I understand...that makes much more sense.

    Thanks for the clarification Gavin. :)

    Mark
     
Thread Status:
Not open for further replies.