Slashdot Mirror
A Searchable Virus Database?
PktLoss asks: "I recently got hit with a worm/trojan, it was my own fault, I got sloppy. Anyways, once I got hit with the virus it was time to get rid of it. It had infected my system while my A/V program was running, so I presumed it was rather new. I already knew a bunch about it: it was a Messenger Worm; it killed regedit, msconfig or taskmanager upon being run; and it turned off viewing hidden/system files, in Explorer. This information in hand, I thought I would have an easy time figuring out what it was, and hopefully locating a dedicated cleaner, I was wrong. In my mind I envision a page with an advanced search allowing you to give it the information you have (attack vector/type, symptoms, etc) one at a time, each new piece of information cutting down the list of possibilities. Does such a page exist? If not why not?"
"Instead of an easy search, I started off Googling in the dark, dropping key words in the hope they would point me in the right direction. When that failed I moved to the websites of major anti-virus vendors, either continuing to search based on key words I felt were relevant, or just listing viruses in reverse chronological order and reading their summaries.
No dice.
For the curious, I think it was Chode-e. I cleaned it manually."
No dice.
For the curious, I think it was Chode-e. I cleaned it manually."
You should check out F-Secure , they have a very good, searchable database with descriptions of various viruses, worms, and spyware.
http://www.symantec.com/avcenter/global/vinfodb.ht ml
This is the one I always have bookmarked. It seems to be the most comprehensive database on the Internet.
Pax Vobiscum
The virus/worm spread via MSN Messenger, I knew what the link was when I got a strange message from a friend (the worm spreading) but I needed to know what virus it was in order to help the friend remove it. So I downloaded the file to disk, and told my AV programs to take a look. When they couldn't figgure it out from the file I presumed it might be either compressed or obfuscated in such a way that the AV programs wouldn't be able to tell what it was untill it ran. So I disconnected myself from the network physically and ran the file, expecting the AV programs to catch it at that point. They didn't and so my search began.
I knew what it was, and still ran it. I really feel I have to take full responsibility.
paul reinheimer
At my company, we've had at least two virus infections before definitions were released. We worked through symptoms and used stuff like HijackThis! and Process Explorer to find out what was going on, plus a few of the PS Tools to get rid of it and Bart's PE to clean-room the system to remove persistent files. It took our virus vendor a week to come up with definitions, but a few others had them earlier and we could use their online or free versions to clean the systems.
Generally, when we get a suspicious file, it goes to VirusTotal first. If any of the 20-or-so listed AV vendors have a definition for the virus, you can usually find some information about it (at least a name) and from there figure out how to clean it. If nobody has a definition, next stop is Norman Sandbox to figure out what the beastie does, at least from a high-level point of view. If nothing else, it will probably give you a mutex that you can create to block execution/further infection, and sometimes it even gives you a clue as to what the virus would be or if it's a variant of something else. I found that we had a new variant of W32/Sality based on its mutex, which was one version number incremented from the info available online.
If there are no hits after that, there are some more things you can try, but they're mostly shots in the dark. Unless you can un-UPX the file and do some serious reverse-engineering on your own, you probably have to wait for a definition or post your symptoms in a newsgroup or forum and hope someone can help.
One good thing about VirusTotal is that it submits your sample to AV vendors (if you give it permission) so they are alerted and can start to develop definitions. It's difficult to find contact info for some vendors, but McAfee, ClamAV, CA and others have places you can submit a sample, you would do well to try them all if you have non-sensitive information in an infected file.