Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
The Internet Security Worms

A Searchable Virus Database? 44

Posted by Cliff from the hunt-by-description dept.
PktLoss asks: "I recently got hit with a worm/trojan, it was my own fault, I got sloppy. Anyways, once I got hit with the virus it was time to get rid of it. It had infected my system while my A/V program was running, so I presumed it was rather new. I already knew a bunch about it: it was a Messenger Worm; it killed regedit, msconfig or taskmanager upon being run; and it turned off viewing hidden/system files, in Explorer. This information in hand, I thought I would have an easy time figuring out what it was, and hopefully locating a dedicated cleaner, I was wrong. In my mind I envision a page with an advanced search allowing you to give it the information you have (attack vector/type, symptoms, etc) one at a time, each new piece of information cutting down the list of possibilities. Does such a page exist? If not why not?"
"Instead of an easy search, I started off Googling in the dark, dropping key words in the hope they would point me in the right direction. When that failed I moved to the websites of major anti-virus vendors, either continuing to search based on key words I felt were relevant, or just listing viruses in reverse chronological order and reading their summaries.

No dice.

For the curious, I think it was Chode-e. I cleaned it manually."
This discussion has been archived. No new comments can be posted.

A Searchable Virus Database? More

A Searchable Virus Database?

Comments Filter:

  • Simple enough... (Score:5, Insightful)

    by Otter ( 3800 ) on Friday February 24, 2006 @12:49PM (#14793977) Journal
    Does such a page exist? If not why not?

    Because that's the single most precious asset the anti-virus makers have!!! There's no way they're going to give that away! And it doesn't seem like a huge priority for a volunteer effort as the sort of people capable of and interested in doing that work don't often get viruses.

    • Explain the existence of ClamAV, then.
      • So, does ClamAV have such a page (as opposed to their virus defs and a searchable database of names of identified viruses)? If so, that answers the original question; if not, I'm not sure what your point is.
    • > Because that's the single most precious asset the anti-virus makers have.

      I hear that they actually communicate the information to each other (after they've released their own identities). The anti-virus world is still very academic. The AV companies have a handful of virus analysts in various timezones and analysing viruses is a very small cost compared to producing the AV frontends/engine/management tools. Ever wondered why your domestic subscription is so much cheaper than the business subscriptions?

      • I think the information is out there, it's just not organized in an appropriate way to allow such a search. The author seems to be thinking of a wizard where he can execute an advanced search involving specifying various details, symptom lists, etc; almost like an expert system.

        I think it would be a cool tool, but it would have a limited audience: your average computer user won't be able to evaluate their situation well enough to use the system to perform a search, since the average computer user has n

    • Screw that. I want a public malicious code archive. As soon as I figure out the legal ramifications and code up a web interface, I'm going to set one up. I'm tired of all of the "in the know" companies and researchers having access to information that mere mortals can't touch.

  • Taught thinking (Score:5, Insightful)

    by A beautiful mind ( 821714 ) on Friday February 24, 2006 @12:54PM (#14794045)
    MS and the companies profiting from malware (Anti-virus companies, etc) taught people into the "I recently got hit with a worm/trojan, it was my own fault, I got sloppy." mindset. But in reality, this shouldn't be and isn't like that.

    True, a user needs education to use a computer intelligently, but it is largely up to the given software platform's coders to fix issues like that.

    Don't assume you were at fault, just because you need to jump through hoops to prevent your computer from getting infected.

    • Re:Taught thinking (Score:3, Interesting)

      by c_fel ( 927677 )
      Don't assume you were at fault, just because you need to jump through hoops to prevent your computer from getting infected.

      Yes, but an OS can't know if the program run by a user is a trojan or a clean program. It's the user responsability to care of it. I agree that there should be a clear gap between user space and system and that's a big hole in most Windows configurations anyway, but everybody still need to care when they run any program. Period.

    • Re:Taught thinking (Score:1, Interesting)

      by Anonymous Coward
      I could not disagree more. Any piece of consumer hardware comes with a certain degree of risk to life and limb if improperly used. Certainly, no one who burned him/herself with the kitchen coffee maker would indicate it 'was my own fault' because given a sufficient level of care in its manufacture (perhaps even a rating from Underwriters Labs or the equivalent) there's nothing short of gross user error that would result in such an occurance.

      Software need be no different.

      Pretending that vendors need to pro
      • yeah, the difference is that it's obvious (to most) that coffee is scalding hot and that sticking your fingers in a live blender or wall socket is bad. That's why we shouldn't be able to sue those manufacturers when we ignore warning labels and safety mechanisms. The same can't be said when grandma opens an e-mail attachment thinking that she's opening an actual e-mail from her 7 y/o grandson. Hell, that scenario even explains away a spammers typical bad grammar and spelling (at least if the subject line is

    • Re:Taught thinking (Score:3, Informative)

      by PktLoss ( 647983 )
      The virus/worm spread via MSN Messenger, I knew what the link was when I got a strange message from a friend (the worm spreading) but I needed to know what virus it was in order to help the friend remove it. So I downloaded the file to disk, and told my AV programs to take a look. When they couldn't figgure it out from the file I presumed it might be either compressed or obfuscated in such a way that the AV programs wouldn't be able to tell what it was untill it ran. So I disconnected myself from the networ

  • Yes, there is. (Score:4, Informative)

    by NorbrookC ( 674063 ) on Friday February 24, 2006 @01:09PM (#14794201) Journal

    You should check out F-Secure [f-secure.com], they have a very good, searchable database with descriptions of various viruses, worms, and spyware.

  • If it's killing off regedit then it is probably not a virus but a lame worm that has just added it'self into the registry to start at bootup.

    Rebooting into safe mode, or with a Linux boot disk with Windows rescue tools installed, and you should be able to remove it from the registry.
    • Cleaning went something like this Safe Mode -> Find random directory in system32, write it down -> safemode w/ command prompt, erase file -> regular boot -> regedit to clean out all the crap it left in the registry -> re-install comprimised a/v software.

  • Good AV database searchable (Score:3, Informative)

    by PontifexMaximus ( 181529 ) on Friday February 24, 2006 @01:33PM (#14794427)
    http://www.symantec.com/avcenter/global/vinfodb.ht ml [symantec.com]

    This is the one I always have bookmarked. It seems to be the most comprehensive database on the Internet.
  • A couple people have been kind enough to post links to some of the major a/v vendor's pages. They're there, and they work, but they don't seem to give the results i'm looking for. Try using those search engines entering some of the information given in the original post. I would consider getting: Chode-d, Chode-e or Landis-B the 'right' answer. Can you get that answer out of it?

    I think tabular data rather than wrapping google or standard full text searches would be great, but there doesn't seem to be such a
  • Unless I misunderstood the question, besides the ones already pointed by some other folks, there's also http://vil.nai.com/vil/default.asp [nai.com] It even has a section dedicated to hoaxes, which I regularly use to educate my friends and family about those "Microsoft warned about this virus yesterday, anti-virus vendors don't know about it yet, pass this to all your contacts" e-mails.

    • You ended your post with what I consider the most obvious sign of a hoax (or worse): "...forward this to everyone you know!" I have *never* seen valid e-mail with this request. Now if we could just get our innocent friends to realize this, we would have a lot less spreading of malware. [big sigh]

      I have been impressed with ClamAV on other features, but checking http://clamav-du.securesites.net/cgi-bin/clamgrok [securesites.net] for the keywords PktLoss gave us did not produce anything even remotely useful. Since ClamAV

      • I think you get all the bonus points for trying out the search engine before giving it the gold star :)

        Yeah, a VM probably would have been a good way to go, but honestly I really thought the A/V programs would catch it once it started trying to do naughty things.

        Next time (and i've got a lot of non-pc-savy friends so there will be a next time) I'm going to:
        Save the file to disk
        Upload it to Virus Total (http://www.virustotal.com/flash/index_en.html [virustotal.com]) and see if it has any clue
        If not, move the file over to an
  • There have been a number of stories that compared how fast the different A/V companies respond to a threat. I seem to recall that for really bothersome stuff, the updates are usually ready to go around 48-56 hours after they're picked up.

    Having said that, it wouldn't hurt to install a free A/V scanner such as ClamAV, AVG or even something like Trend Micro's free online scanner.

    Moreover, one of the key issues is that some companies are not picking up on some of the malware, which makes the occasional instal
  • I know in this case google didn't work out for you, but I can't say I've ever had to do more than the following:

    1. Norton AV pops and says "Danger! Danger! Virus found! Something.Win32.A2; clean failed; quarantine (failed|successful)."
    2. Then I google "Something.Win32.A2" and usually the first link is Symantec's page on that virus/worm.
    3. Click that link. Read that page.
    4. Either download the removal tool, which is on that page, or follow the manual removal directions they give.

    Not sure about MSNM worms or

  • We've had two new ones in the past year (Score:4, Informative)

    by Meostro ( 788797 ) on Friday February 24, 2006 @03:54PM (#14795793) Homepage Journal
    At my company, we've had at least two virus infections before definitions were released. We worked through symptoms and used stuff like HijackThis! [spywareinfo.com] and Process Explorer [sysinternals.com] to find out what was going on, plus a few of the PS Tools [sysinternals.com] to get rid of it and Bart's PE [nu2.nu] to clean-room the system to remove persistent files. It took our virus vendor a week to come up with definitions, but a few others had them earlier and we could use their online or free versions to clean the systems.

    Generally, when we get a suspicious file, it goes to VirusTotal [virustotal.com] first. If any of the 20-or-so listed AV vendors [virustotal.com] have a definition for the virus, you can usually find some information about it (at least a name) and from there figure out how to clean it. If nobody has a definition, next stop is Norman Sandbox [norman.no] to figure out what the beastie does, at least from a high-level point of view. If nothing else, it will probably give you a mutex that you can create to block execution/further infection, and sometimes it even gives you a clue as to what the virus would be or if it's a variant of something else. I found that we had a new variant of W32/Sality [sophos.com] based on its mutex, which was one version number incremented from the info available online.

    If there are no hits after that, there are some more things you can try, but they're mostly shots in the dark. Unless you can un-UPX [sourceforge.net] the file and do some serious reverse-engineering on your own, you probably have to wait for a definition or post your symptoms in a newsgroup or forum and hope someone can help.

    One good thing about VirusTotal is that it submits your sample to AV vendors (if you give it permission) so they are alerted and can start to develop definitions. It's difficult to find contact info for some vendors, but McAfee [webimmune.net], ClamAV [clamav.net], CA [my-etrust.com] and others have places you can submit a sample, you would do well to try them all if you have non-sensitive information in an infected file.
  • C:\>attrib -r -a -s -h C:\*.* /s

    And there's plenty of Registry Editors out there besides RegEdit.exe (even RegEdt32.exe ships with Windoze so you can modify Registry ACL's).
  • A few years ago, before I had any idea what I was doing, I got this annoying virus that began a countdown to restart my computer every time I connected to the internet or went to Microsoft's website. I can't remember what it was called but apparently it caused some havoc. When I found out how easy it was to stop, I was so embarrassed. That was the first day I found out that Windows XP has a built in "firewall" that could be activated. Later that month Microsoft released an update that activated the "fir

Slashdot Top Deals

A morsel of genuine history is a thing so rare as to be always valuable. -- Thomas Jefferson

Close