Should I worry about this?

Discussion in 'malware problems & news' started by Andrew B., Jul 23, 2003.

Thread Status:
Not open for further replies.
  1. Andrew B.

    Andrew B. Registered Member

    Joined:
    Jul 17, 2003
    Posts:
    34
    Hi.

    When I was installing DiamondCS RegistryProt, it announced startup points to me and asked me whether to allow them. I understood all of them except this one, and I'm wondering if this is something I should not have approved.

    HKEY=HKEY_CLASSES_ROOT
    PATH=vbsfile\shell\open\command
    NAME=
    DATA=%SystemRoot%\System32\WScript.exe "%1" %*
     
  2. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
  3. Andrew B.

    Andrew B. Registered Member

    Joined:
    Jul 17, 2003
    Posts:
    34
    Hi Dollefie.

    Thanks for the link. It shows how to remove the ability for any script to run. DiamondCS RegistryProt only took issue with one line of the many lines I see on that page. So I can only guess that maybe that one line is normal, but worse than others, and maybe I should disable it. Is that the idea behind sending me there?
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Not many home users have legitimate need to have VBS files run in the Windows Scripting Host, so you can eliminate the whole VBS class of worms and trojans by changing it to notepad.exe %1 :)

    The current version of Wormguard will be suspicious of any VBS worm or trojan due to their nature, im sure script checkers included in antivirus software have long since caught up, although they might not be as careful/agressive as Wormguard 3 in their protection..
     
  5. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    You have to decide whether or not you want to be able to run vbs/js. there are some handy tools around that uses them. If you don't use these ore you don't have any protection against the misuse of scripts (like a lot of worms/trojans do) then delete them. I don't know how you use your computer. I only wanted you to know why that line exists.
    Dolf
     
  6. Andrew B.

    Andrew B. Registered Member

    Joined:
    Jul 17, 2003
    Posts:
    34
    Thank you Gavin and Dollefie. I just went in and switched VBS to notepad. I'll have to think about Java Script, though. I think that might be something I need.
     
  7. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Well, you always can consider using Wormguard :D
     
  8. Andrew B.

    Andrew B. Registered Member

    Joined:
    Jul 17, 2003
    Posts:
    34
    I'm looking into wormguard, but I worry about having two scanners hitting the same area. I actually witnessed two AV scanners let eicar open when they both detected it at the same time.
     
  9. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Wormguard is NOT an AV, it doesn't use any def updates. It just analyzes code BEFORE it is loaded in memory, so it doesn't interfere with any other AV, it is just an addition to an AV where an AV could fail.
    I wonder though why WG jumped in on the eicar testfile o_O
    Dolf
     
  10. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    was curious about this myself so after disabling KAV I doubleclicked on eicar.com and WG poped up with

    Running strings on the com file shows the following ascii string

     
  11. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    thanks Dan
    I've always mixed feelings about the need to detect testfiles,
    although now I think it's the VIRUS part of ANTIVIRUS where WG jumped in, which is logic.
    Hmm, I wonder how many malware writers put the string 'virus' in their code...
    Dolf
     
  12. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Amazingly many ! A large percentage of worms are tagged with the author name, and with things like

    W32/Hello.b by nErdBurger[cheese] (I made this up :D)

    We have amassed a large list of trojan/virus author names - and groups like [cheese] so Wormguard 4 and TDS-4 will look for some things like that as well.. exact details unsure yet, there has to be measures to make these things less sensitive :)
     
  13. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    :cool:Blaze worm comeing soon lol all will miss spell like me lol author by blaze aka little baby budah lol
     
Loading...
Thread Status:
Not open for further replies.