Re: List of worm and trojan files

[Kevin <kkadow () gmail com>]

Carilda A Thomas <cat () the-cat com> wrote:
> I have been looking but I cannot find a list all in one
> place of the various illegitimate files that various worms
> and trojans install into Microsoft systems.

What'd really help here is a list of MD5 checks for "known bad"
binaries.  Obviously a custom build of sdbot or just a simple hexedit
would defeat this, but such a list would still have value against
automated attacks, etc.

> Perhaps I should clarify about this list thing:  A friend
> of mine is apparently running a rogue email server and a
> rogue ftp server, and none of the virus checkers we have
> tried will determine what program or where.  I looked for
> a windows equivalent to lsof but there doesn't appear to
> be one - 

Sysinternals has applications that, taken in combination, do much of
what 'lsof' does under Unix.

Specifically, tcpview
(http://www.sysinternals.com/ntw2k/source/tcpview.shtml) will show you
any listening sockets, the associated process, and the location from
which the process launched.  This should suffice to locate a rogue FTP
service on a Windows PC.

the one I found can only determine the program if
> it sees a packet go by and cannot find a quiescent
> program.  The A/V checkers do not flag an email server,
> considering it a legitimate program.  Task manager is also
> destroyed, so there is no help there.  I was hoping to
> find a list of illegitimate files for which I could check.

Assuming the attacker is competent, the only way to "clean" a deeply
compromised machine is to reformat the drive and start from scratch. 
The truly paranoid will question whether just formatting the drive is
sufficient.

Kevin Kadow
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html