question re wormguard database

I have a question regarding the WG database.

What I mean is, do I have to keep adding the actual threats into the "Blocked List", or does WG 'know' what a worm is, etc. and just does it's job.

Do I have to like update like an Anti-virus program or not.

If so, is there an actual list I can grab or copy instead of having to hit "Add" each and every time I want to add a threat?

any comments appreciated.

Cheers, Tas

 

Hi Tassie_Devils
No database to edit or actualise, as it's blocking worms and nasties in other ways of detection.
The blocked items list is a personal choice: if you decide you don't have any scripts running you could add .vbs or not any exe the .exe but i am sure your system would become unworkable with that, so i mean the choices of what to add depends on personal situations.
Hope others jump in with better specific explanation in this area.

The only needed update will be soon the next version to WG4!

 

The blocked list only goes by filename, if you wish you can continually add known worm filenames to this list - if the worm uses fixed filenames. Wormguard should still detect a lot of threats automatically, but where possible adding to this list will always be a good idea

And yes, Wormguard 4 will have an easy update option to do everything for you.

 

Hi Jooske/Gavin

I thought as much, and that's what I have been doing, but it was just that it's been quite a while since I did anything with WG, leaving it to it's own devices so to speak.

I personally had already added some of the files already suggested by Jooske in the blocked filetypes side quite a while ago, and now I have just added a few of the latest worms doing the rounds in the blocked filenames section.

Thanks for the responses, guys, appreciated.
Cheers, Tas.

 

Thanks! For other readers: the file extentions is the left edit window, the complete file names in the right window.
True, WG comes with several preconfigured names like loveletter with several extentions and several more, i did not try out files with complete paths, while wildcards are not possible. I know even without updating WG has other ways of stopping nasties, but of course like Gavin says it is always a good idea to add some specific fixed names.

 

Good question Tas, I was going to ask this also.

So, can anyone direct me to a site that lists current worms and their filenames? Or would anyone post the ones they have added? I think it would be a big help to us less informed.

Also, would anyone be interested in keeping a running thread listing worms they have added? As new worms appear they could be added to the list. This would hold us over until Wormguard 4, with the update feature, is out.

Thanks!

 

average joe:

Hi: here is list of what I put in.....

easy way to add is to go to your wormguard folder, then open up the text file "lockfile.txt" SAVE IT TO DESKTOP FIRST AS BACK UP.

Then delete all of the files in there then copy this list [contains the original list you got then some more I added].

Then RESAVE it back into the Wormguard FOLDER.
Open up Wormguard, check the blocked filenames list and whalla! You should have all the new entries.

Here is the list:

DECRYPT-PASSWORD.EXE
dwarf4you.exe
explorer.doc
GONE.SCR
happy99.exe
irok.exe
joke.exe
life_stages.txt.shs
links.vbs
love-letter-for-you.htm
love-letter-for-you.txt.vbs
midgets.scr
movie.avi.pif
network.vbs
PASSWORD.TXT
PE_ELKERN.D
pretty park.exe
prettypark.exe
sexy virgin.scr
south park.exe
tune.vbs
VBS_LOVELETTR.AS
VBS_REDLOF.A
W32.FRETHEM.E@MM
W32/FLEMING.WORM
W97M_MARKER.GO-1
WORM_BUGBEAR.A
WORM_KLEZ.H
WWW..FREEDESKTOPTHEMES*.*
xpass.xls
zipped_files.exe
PE_SPACES.1445
PE_NIMDA.E
JS_NIMDA.A
VBS_LOVELETTR.AS
W97M_MARKER.GO-1
PE_CIH.1003
PE_FUNLOVE.4099

I added the current Top 10 worms as outlined by TrendMicro.

cheers, tas

edit: PS: If anyone has more, PLEEEESE feel free to post here so we can add them also.....

I had edited out some numbers at end of list thinking they were the numbers of detections, but upon reading Trend's email, those numbers form part of the worm, so if any has already copied, just redo it pleese. Sorry.

 

Thanks very much Tas!

I also found this up to date list at Symantec:

http://securityresponse.symantec.com/avcenter/vinfodb.html

But I have a question on which filename to add. For an example, about 6th on the list is W32.HLLW.Amazex. It also says that KAV calls it Worm.P2P.Amazex and Trend calls it TROJ_ANALA.A. So which is the real filename that we should add? And not just for this example but for any on that list.

If anyone can answer this it would be much appreciated.

average Joe

 

Hi Average_Joe,
would add them all to be sure, like you see in the "loveletter" file names too. In TDS-4 we hope for wildcards possibilities, to ease the adding.

 

Thanks Jooske!

In the example above I mistakenly thought that there was the worm's real filename, "whatever.exe", and that each AV company just gave it their own label. So I was looking for that "real" filename.

But then I'm just your average Joe.

I'll just add all the names that's easy enough. But I'm looking forward to Wormguard 4.

Thanks again!

 

I have taken the list above, and added to it from the symantec site (just that first page, there are so many, the txt file could get really cumbersome). I have attached the file itself rather than listing it in the body of this post, save it in a temp dir if you want to look it over.

I too had been tending to let wormguard just do its thing, but I'm getting more proactive now, and am about to register ..finally..

Roll on WG4!

 

Thanks Kyte. Nice list you compiled. I am now the one to be taking a list from someone else, lol...

thanks again...

 

Well done Kyte! Thanks!!!

 

No worries!

I guess the thing to remember is that there are thousands of trojans, worms etc and their variants, a person could get carried away adding stuff. Thank god for heuristics and TDS3 as well

 

bumping this one up..

has anyone continued to add to the database we began here? I was wondering if WG will slow down if too many worm names are added...??

heres some from July/august from the Symantec site. I checked for dupes and got some but maybe not all

W32.Blaster.Worm
W32/Lovsan.worm
Win32.Poza
Lovsan
WORM_MSBLAST.A
W32/Blaster-A
W32/Blaster
Backdoor.WinShell.50.b
BackDoor-TC
PWSteal.Pport
W32.Bacterra.Worm
Worm.P2P.Bacterra.a
VBS.DDV.B
PWSteal.Lemir.B
PWS-Organer
W32.Mant.Worm
Worm.P2P.Milcan , W32/Milcan.worm!p2p
BAT.Rous.worm
I-Worm.Rous.A
W32.HLLW.Moega
Backdoor.Sdbot.gen
W32.HLLW.Antinny
Backdoor.OptixPro.12.c
Backdoor.Optix.Pro.12
Backdoor.Optix.1_2
BackDoor-ACH
W32.Sowsat.C@mm
Backdoor.IRC.Flood.G
W32.Nuffy.A
W32.Nuf.A
Worm.Win32.Nuf
W32.HLLW.Tofaced
W32.Sowsat.B@mm
I-Worm.Sowsat.f
Trojan.Stealther.B
Trojan.Stealther
Trojan.Win32.Stealther
Backdoor.WinShell.50
Backdoor.Winshell.50
BackDoor-TC
Backdoor.Sdbot.N
Backdoor.SdBot.gen
W32.HLLW.Niklas
Worm.P2P.Niklas
W32/MScr.worm!p2p
W32.Kergez.A@mm
I-Worm.Kergez
Backdoor.Hale
BackDoor-ATM.dr
Backdoor.Lala.C
BackDoor-YQ
Backdoor.Beasty.dr
TrojanDropper.Win32.Yabinder.a
Multidropper-CQ trojan
Backdoor.IRC.Flood.F
Downloader.Mimail
W97M.Anumps.A
Backdoor.IRC.Cirebot
Win32.RPC.A
Worm.Win32.Autorooter.a
Backdoor.IRCBot.gen
Exploit.Win32.DCom.b
Downloader-DM
W32/Lolol.worm.gen
Exploit-DcomRpc
Backdoor.Sumtax
W32.Mimail.A@mm
WORM_MIMAIL.A
W32/Mimail@MM
Win32.Mimail.A
W32/Mimail-A
I-Worm.Mimail
PWSteal.Bancos.B
Backdoor.FTPserver
Backdoor.Roxy
Backdoor.Trojan
W32/Slanper.worm
Worm.Win32.Randex.d
W32.HLLW.Gotorm
Backdoor.Beasty.G
Backdoor.BeastDoor.200.a
BackDoor-AMQ
Backdoor.Fxsvc
Backdoor.Fxsvc.02
Backdoor-AQK
W32.Upering.Worm
Trojan.AOL.Annoyer.b
W32/Sany.worm
W32.Simic.Worm
I-Worm.Sinmsn
Backdoor.Nibu
VBS.Bingd@mm
Trojan.VBS.NoExp
VBS/Generic@MM
W32.HLLW.Huntocx
Backdoor.Lala.B
BackDoor-AOT
W32.Tzet.Worm
W32.Lorsis.Worm
BAT.Boohoo.Worm
Trojan.OptixKiller
Backdoor.Optix
OptixKiller
Trojan.Win32.OptixKill.30
Backdoor.IRC.PSK
BackDoor-AXU
Download.Trojan.PSK
Downloader-DK
Trojan.Progent
Trojan.Spy.ProAgent.121
W32.Earlybird@mm
I-Worm.Wormex
W32.Babybear.int
W32.Liamed@mm
W97M.Acus.A
WM97/Vmpck1-DV
W97M/VMPCK.gen
Macro.Word97.VMPC-based
W97M.Tooth
Macro.Word97.Intended.Toothpaste
W97M/Tooth.A
W97M_TOOTHPASTE
W97M/Tooth.A
WM97/Toothpaste
W32.Spybot.dr
W97M.Kazoy
Macro.Word97.Yozak.b
WM97/Yozak-B
W97M/Yozak.B
W97M.Bench.G
Macro.Word97.Skyline
W97M/Skyline.A
W97M/Bench.C
W97M_BENCH.F
W97M/Bencg.gen
W32.Babybear@mm
Trojan.Visages
Trojan.Ailati
Haver.1309
Backdoor.Netdevil.15
W32.Lohack.C.Worm
I-Worm.Lohack.c
W32.Nogrov@mm
W32.Enegg@mm
BAT.Wimpey.dr
VBS.Wimpey@mm
PWSteal.Bancos
W32.HLLW.Symten@mm
Bloodhound.W32.VBWORM
I-Worm.Symten.b
VBS.Renegy
VBS.Dasbud.int
VBS/Dasbud.intd
Backdoor.Uzbet
TrojanProxy.Win32.Uzbet
W32.HLLW.Indor.E@mm
W32.Jantic.F@mm
Backdoor.Berbew
Troj/Webber-A
BackDoor-AXJ
TrojanProxy.Win32.Webber.10
Trojan.Download.Berbew
Downloader-DI
W32.HLLP.Conut@mm
W32/Coconut-A
I-Worm.Conut
W32.Femot.D.Worm
W32/MoFei.worm
WORM_MOFEI.D
W32/Mofei-B
Worm.Win32.Mofeir.c
Backdoor.Winker
Backdoor.Winker.f
W32.Lofni.Worm
W32.Lohack.B.Worm
W32/Noala@MM
W32.Gruel@mm
Backdoor.WinJank
Backdoor.Migmaf
Proxy-Migmaf
W32.HLLW.Niden
W32.Jantic.B@mm
I-Worm.generic
W32/Generic.a@MM
W32.HLLW.Redist.C@mm
W32/Gant.gen@MM
W32.Moubot
W32.HLLW.Warpigs
W32.HLLW.Warpigs.B
W32.Jantic@mm
W32.Sadon.dr
W95/Sadon
Win32.Mudant.887
W32/Muttant.867
W32.Zokrim.V@mm
W32.Laorenshen.Trojan
Keylogger.Cone.Trojan
Keylog-Perfect.dr
KeyLogger.Win32.PerfectKeyLogger.141
Trojan.Sarka
W32.Sadon.867
W32.MutantQSix


cheers
sue

 

WG doesn't look for a worm's name but for malicious code, so you need the working file name, like MSBLAST.EXE for the recent nasty (which i added immediately).
Quite a job you did, now the names.
If you have for instance a joke.exe and joke.com and joke.vbs you would have to add all three of them and if those would be part of a nasty named "imsocute" it's no use to add that name as wg wouldn't think nothing of that name. In WG4 we'll be able to use wildcards.

 

so.. W32.blaster.worm won't be found by WG? and the others also won't be found? may as well remove them all then :-/

oh well, i tried

what about the mimail thing which comes with an attachment message.zip.. should that be added rather than the mimail variants?

 

See again Gavin's reply.

 

Yeah I did. Ive been on the hunt at the symantec site for the known names of files and have added a few of those, particularly relating to new or revised threats, i'll wade through most of it sooner or later i guess.

 

TEEKIDS.EXE Don't forget to add this name for the new modified variant of the blaster worm and you're uptodate again for a few moments

 

I don't understand adding all those names. If it wrong code it will be stopped anyway. It only can slow things down.
And who cares whether WG will stop it once or twice
Just my opinion
Dolf

 

I see Gavin's reaction which i quoted again above.
If the update and adding names to the list was a bad idea, why add it as a new feature to WG4 then?

 

IMHO These new worms are not really worms but "Vulnerability Exploitation Programmes" VEP's? so will not have normal worm oe virus like patterns.
As these VEP's become more sophisticated then regular database udates for WG4 will become more & more necessary.

 

Jooske: thanks for the teekids.exe update, I havent had a chance to check anymore in the last day or so.

 

If users ask for a feature, why NOT add it, but does that make it really more functional?
It's the same as with TDS. Why should it detect a Trojan simulator. Does it make TDS a better AT?
In this case, when starting every program, WG has to go trough that list.

If they are not worms, they should be detected by other means. Having to add data to a list manually, is not my definition of a well guarded system.
So in this case, I don't agree with Gavin
But again, just my opinion
Dolf.