worm ss-3, dwarf.b??

Discussion in 'Trojan Defence Suite' started by marti, Mar 25, 2002.

Thread Status:
Not open for further replies.
  1. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    Don't laugh guys, but I just finished a very scary detective novel.  They were tracking a computer cracker who started killing folks.   I downloaded the evaluation copy of TDS and found some suspicious files:  it didn't like some of my unusual file names.   :D

    However, TDS also decided that a DOS help file, written in Qbasic was a worm.  

    File Trace: Default trojan filename: Worm.SS-3 (Dwarf.b)
     File: C:\help.com

    It's a valid file and works as it's supposed to.  Any advise here?  (Other than stop reading scary novels. :D)

    thanks,
    marti
     
  2. SPY

    SPY Guest

    I would scan the file with TrojanHunter, and see what/ if anything is reported. A second opinion never hurts.
     
  3. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    I downloaded the evaulation copy of Trojan Hunter -- it didn't find any suspicious files.

    I forgot to mention in my initial post that I have the purchased version of Pest Patrol.  PP has never found any suspicious files (I purchased it in August 2001).

    marti
     
  4. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Hi Marty,
    "Default trojan filename" with File Trace scanning means that it has simply found the presence of a filename that is known to be used only by a particular trojan. The SS-3 worm (which incidently has nothing to do with SS3 scripts) installs to c:\help.com (hard-coded), and is several years old but we've never had any other reports of c:\help.com existing (what's it doing in your root directory for starters? :)), so it's probably a good thing that it was detected. If it was the SS-3 Worm you would have also seen at least one other alarm - a positive identification.

    Best regards,
    Wayne
     
  5. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    Hi Wayne,

    I knew that it was not a worm/trojan, but was curious as to what your program found.

    The DOS help files are in the root directory because that's where they are supposed to be.  :D  

    thanks,
    marti
     
  6. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    I updated to the latest ref files this morning.  It does not find the "File Trace: Default trojan filename: Worm.SS-3 (Dwarf.b)  
     File: C:\help.com"

    However, it still does not like my valid file name of xxx.bat.pif.  :D

    marti

     
     
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    WormGuard would probably jump on that one too for various reasons.
    Good to be warned.
     
  8. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    JooskeJooskeRe: worm ss-3, dwarf.b??

    Hi Jooske,

    It's nice to be warned about a suspicious file.  However, the xxx.bat.pif file is a valid file and one that I created.  There does not seem to be a way to ignore certain files that show up during each scan.

    thanks,
    marti
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    TDS has scan options to exclude directories and sub directories, maybe you can do some with that? Although i prefer scanning all and i remember some finds from former times.
     
  10. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    Yes, I found that.  However, the file in question is in the send-to folder within the Win98SE directory.  I'm looking for a way to exclude unique files, without excluding the entire directory.

    marti
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.