A Searchable Virus Database? 44
PktLoss asks: "I recently got hit with a worm/trojan, it was my own fault, I got sloppy. Anyways, once I got hit with the virus it was time to get rid of it. It had infected my system while my A/V program was running, so I presumed it was rather new. I already knew a bunch about it: it was a Messenger Worm; it killed regedit, msconfig or taskmanager upon being run; and it turned off viewing hidden/system files, in Explorer. This information in hand, I thought I would have an easy time figuring out what it was, and hopefully locating a dedicated cleaner, I was wrong. In my mind I envision a page with an advanced search allowing you to give it the information you have (attack vector/type, symptoms, etc) one at a time, each new piece of information cutting down the list of possibilities. Does such a page exist? If not why not?"
"Instead of an easy search, I started off Googling in the dark, dropping key words in the hope they would point me in the right direction. When that failed I moved to the websites of major anti-virus vendors, either continuing to search based on key words I felt were relevant, or just listing viruses in reverse chronological order and reading their summaries.
No dice.
For the curious, I think it was Chode-e. I cleaned it manually."
Simple enough... (Score:5, Insightful)
Because that's the single most precious asset the anti-virus makers have!!! There's no way they're going to give that away! And it doesn't seem like a huge priority for a volunteer effort as the sort of people capable of and interested in doing that work don't often get viruses.
Re:Simple enough... (Score:2)
Re:Simple enough... (Score:2)
Re:Simple enough... (Score:2)
I hear that they actually communicate the information to each other (after they've released their own identities). The anti-virus world is still very academic. The AV companies have a handful of virus analysts in various timezones and analysing viruses is a very small cost compared to producing the AV frontends/engine/management tools. Ever wondered why your domestic subscription is so much cheaper than the business subscriptions?
Re:Simple enough... (Score:1)
I think the information is out there, it's just not organized in an appropriate way to allow such a search. The author seems to be thinking of a wizard where he can execute an advanced search involving specifying various details, symptom lists, etc; almost like an expert system.
I think it would be a cool tool, but it would have a limited audience: your average computer user won't be able to evaluate their situation well enough to use the system to perform a search, since the average computer user has n
Re:Simple enough... (Score:1)
Taught thinking (Score:5, Insightful)
True, a user needs education to use a computer intelligently, but it is largely up to the given software platform's coders to fix issues like that.
Don't assume you were at fault, just because you need to jump through hoops to prevent your computer from getting infected.
Re:Taught thinking (Score:3, Interesting)
Yes, but an OS can't know if the program run by a user is a trojan or a clean program. It's the user responsability to care of it. I agree that there should be a clear gap between user space and system and that's a big hole in most Windows configurations anyway, but everybody still need to care when they run any program. Period.
Re:Taught thinking (Score:1, Interesting)
Software need be no different.
Pretending that vendors need to pro
Re:Taught thinking (Score:1)
Re:Taught thinking (Score:3, Informative)
Re:Taught thinking (Score:2)
Re:Taught thinking (Score:2)
Next time, run it through a disassembler first. strings can also be your friend. You also may want to try the free f-prot A/V, it uses heuristics as well as signature detection.
Not that these suggestions will do you any good at the moment
Enjoy.
Re:Taught thinking (Score:2)
Re:that'll teach you. (Score:2)
Had one of the Anti Virus programs I tried actually cleaned the machine it would have been serious karma, and a likely purchase.
Yes, there is. (Score:4, Informative)
You should check out F-Secure [f-secure.com], they have a very good, searchable database with descriptions of various viruses, worms, and spyware.
Sounds like a lame worm (Score:2)
Rebooting into safe mode, or with a Linux boot disk with Windows rescue tools installed, and you should be able to remove it from the registry.
Re:Sounds like a lame worm (Score:2)
Good AV database searchable (Score:3, Informative)
This is the one I always have bookmarked. It seems to be the most comprehensive database on the Internet.
Re:Good AV database searchable (Score:2)
Re:Good AV database searchable (Score:1)
Try them out (Score:2)
I think tabular data rather than wrapping google or standard full text searches would be great, but there doesn't seem to be such a
Re:Try them out (Score:2)
McAfee's Virus Information Librar (Score:1)
Re:McAfee's Virus Information Librar (Score:1)
You ended your post with what I consider the most obvious sign of a hoax (or worse): "...forward this to everyone you know!" I have *never* seen valid e-mail with this request. Now if we could just get our innocent friends to realize this, we would have a lot less spreading of malware. [big sigh]
I have been impressed with ClamAV on other features, but checking http://clamav-du.securesites.net/cgi-bin/clamgrok [securesites.net] for the keywords PktLoss gave us did not produce anything even remotely useful. Since ClamAV
Re:McAfee's Virus Information Librar (Score:2)
Yeah, a VM probably would have been a good way to go, but honestly I really thought the A/V programs would catch it once it started trying to do naughty things.
Next time (and i've got a lot of non-pc-savy friends so there will be a next time) I'm going to:
Save the file to disk
Upload it to Virus Total (http://www.virustotal.com/flash/index_en.html [virustotal.com]) and see if it has any clue
If not, move the file over to an
Maybe it's too new for that vendor (Score:1)
Having said that, it wouldn't hurt to install a free A/V scanner such as ClamAV, AVG or even something like Trend Micro's free online scanner.
Moreover, one of the key issues is that some companies are not picking up on some of the malware, which makes the occasional instal
uh, google? (Score:2)
1. Norton AV pops and says "Danger! Danger! Virus found! Something.Win32.A2; clean failed; quarantine (failed|successful)."
2. Then I google "Something.Win32.A2" and usually the first link is Symantec's page on that virus/worm.
3. Click that link. Read that page.
4. Either download the removal tool, which is on that page, or follow the manual removal directions they give.
Not sure about MSNM worms or
We've had two new ones in the past year (Score:4, Informative)
Generally, when we get a suspicious file, it goes to VirusTotal [virustotal.com] first. If any of the 20-or-so listed AV vendors [virustotal.com] have a definition for the virus, you can usually find some information about it (at least a name) and from there figure out how to clean it. If nobody has a definition, next stop is Norman Sandbox [norman.no] to figure out what the beastie does, at least from a high-level point of view. If nothing else, it will probably give you a mutex that you can create to block execution/further infection, and sometimes it even gives you a clue as to what the virus would be or if it's a variant of something else. I found that we had a new variant of W32/Sality [sophos.com] based on its mutex, which was one version number incremented from the info available online.
If there are no hits after that, there are some more things you can try, but they're mostly shots in the dark. Unless you can un-UPX [sourceforge.net] the file and do some serious reverse-engineering on your own, you probably have to wait for a definition or post your symptoms in a newsgroup or forum and hope someone can help.
One good thing about VirusTotal is that it submits your sample to AV vendors (if you give it permission) so they are alerted and can start to develop definitions. It's difficult to find contact info for some vendors, but McAfee [webimmune.net], ClamAV [clamav.net], CA [my-etrust.com] and others have places you can submit a sample, you would do well to try them all if you have non-sensitive information in an infected file.
Re:We've had two new ones in the past year (Score:2)
thank you very much
Why rely on Explorer? (Score:2)
And there's plenty of Registry Editors out there besides RegEdit.exe (even RegEdt32.exe ships with Windoze so you can modify Registry ACL's).
Virus (Score:1)
Re:Virus (Score:1)