question re wormguard database

The Teekids.exe update info had just come into my email a few minutes before i posted it here immediately.
I don't know if the mass Ddos attack 16 august on the microsoft sites is just a hoax or really planned and i'm not interested to take part in that, so i added those two nasties.

The feature for manually adding nasties to the block list we have already, i think to remember in the WG4 there will be update lists so it would be a press on the button or maybe even automated to be updated.

 

I have a firewall for that

 

My first Virus/Worm will be called Setup.exe, hoping it will be added to the blocked-file list
Dolf

 

Long ago i had an email with an automatic download which just started without me asking permission. I don't remember if that was a nasty or legal file, but i felt very uncomfortable. After we got all kinds of patches and security updates from windows, IE, OE, closing the one vulnerability after the other and more. In those days a command given on the pc for something outbound was not stopped by the firewalls properly, we had besides all those security updates to learn to block outbound traffic too with our firewalls and whatever there is.
Long long ago i noticed strange traffic or probes to use my system as a proxy or routing traffic on or via my system, so i was really happy that with the newer versions of the fw i use it is now finally possible to put security on highest.
And there are more ports i blocked for inbound plus outbound traffic, like there are for this current blazer thing ports 69, 135, 445, 4444. So adding the names of the nasty and a new variant is just a small thing to do.
One never knows if there is any new vulnerability used which is not patched away yet and i do like a layered security.
Indeed, on some forums i saw rather rude comments that one must be really stupid to be caught by this one, not having updated and no firewall, but don't underestimate the trojan/worm coders.

 

I don't....
that's why I think a blocked-file list is next to useless

 

Here are a few more to add to the list altho' there may be duplications: Copied from the Sophos site.


WORM_WUKILL.A
WORM_TZET.A
WORM_SPYBOT.GEN
WORM_SOBIG.E Medium
WORM_SOBIG.D
WORM_SOBIG.C
WORM_SOBIG.B
WORM_SCORVAN.A
WORM_SAGE.A
WORM_SACHIEL.F
WORM_RPCSDBOT.A
WORM_RANDEX.D
WORM_RANDEX.C
WORM_NOFER.C
WORM_NACO.D
WORM_NACO.B
WORM_MYLIFE.M
WORM_MUMU.B
WORM_MSBLAST.GEN
WORM_MSBLAST.C
WORM_MSBLAST.B
WORM_MSBLAST.A
WORM_MOFEI.C
WORM_MOFEI.B
WORM_MOFEI.A
WORM_MIMAIL.A
WORM_MELARE.A
WORM_MAPSON.A
WORM_MAAX.B
WORM_KLEXE.A
WORM_KIRBO.A
WORM_JANTIC.F
WORM_JANTIC.B
WORM_ISRAZ.A
WORM_GRUEL.H
WORM_GRUEL.E
WORM_GRUEL.D
WORM_GANT.C
WORM_GANT.B
WORM_FRANRIV.A
WORM_DUKSTEN.O
WORM_CROCK.A
WORM_COLEVO.A
WORM_BACKZAT.A
WORM_AURIC.E
WORM_AURIC.C
WORM_AURIC.B
WORM_AURIC.A
WORM_AINJO.E
TROJ_SYSTRIM.A
TROJ_MSBLAST.DRP
TROJ_MIGMAF.A
RPC DCOM BUFFER OVERFLOW
PE_VOTE.E Low
PE_NIMDA.L Low
PE_NACO.F Low
PE_LOVGATE.M
PE_LOVGATE.L
PE_CONUT.A Low
PE_BUGBEAR.DAM
PE_BUGBEAR.B
ELF_TYPOT.B
ELF_TYPOT.A
CISCO IOS VULNERABILITY
BKDR_LITH.103.A
BKDR_CIREBOT.B
BKDR_CIREBOT.A
BAT_FORCA.C Low

Top threats:
1. WORM_FRIENDGRT.B
2. WORM_KLEZ.H
3. WORM_LOVGATE.F
4. WORM_MSBLAST.A
5. WORM_MIMAIL.A
6. TROJ_HACLINE.A
7. PE_PARITE.A
8. WORM_YAHA.P
9. WORM_LOVGATE.G
10. WORM_YAHA.G

 

WG cannot do anything with that list.
It is expecting executable filenames
Dolf

 

Hi Peaches,
Thank you, lots of work! Did you find the executable filenames from those too?
Like i did for the blazer the msblaster.exe and teekids.exe for instance, and in cases we know a nasty drops or creates filenames to include those too.
Not that it is all necessary, WG looks for malicious code anyway, but as Pilli explained the file can seem very legitime and be used for some exploit/vulnerability so blocking that innocent looking file would be great too, i guess, although they won't be able to do anything bad if their nasty brother is blocked already, let's hope for that!
I'm sure Gavin/Jason will correct us if we're wrong.

And remember TDS exec protection does block too what is on it's path to block, so those trojans in your list will be among them as they are in the references.