Checking for Worms

There is a very nicely done Freeware package aimed at Tech support, StartLog, which analyzes the Registry, INI files and other things, the things Windows does on startup, for worm droppings.

It checks out cleanly with adaware and F-Prot, but check it yourself, of course.

StartLog

http://home.earthlink.net/~rmbox/Reticulated/Toys.html

Look on the right for the program names.

Win 98/95 compatible. Probably ME I would guess.

How good is it? I have not done the statistics but it looks like it would get changes from any of the top worms including Magistr, SubSeven, Klez, Nimda, mayby 80 to 90% of the common infections by worms.

The main thing is that it is fast enough to be run at boot, about 6 seconds, and it is cost efficient. As it looks for traces by principle, not by pattern matching it does not need the almost daily updates of A-V scans.


As I said, the program is intended for Tech Support to have a user run and then send the files, so it drops reaults on the desktop, which makes it easy for an end user to find them.

I, Jay, did such a wrapper that spawns ScanLog and collects it's results in order to compare them against a previous run.

This allows us to decide whether an incursion is likely. If not the wrapper goes away.

If there is a change in the various things Windows uses to start, the user is alerted (or the Logon to NT nay be aborted).


[tt]
+----------------------+
| |
| Call Tech Support |
| |
| Something is wrong. |
| |
+----------------------+
[/tt]

In short it makes StartLog into a efficient, effective, small IDS tool.

StartChk

http://www.roninsoftwaregroup.com/startchk.htm

StartLog is Freeware.

StartChk is also Freeware and the zip includes source and a Bat procedure that will strip the results from the desktop when the test is complete.

Together they allow you to make a check that should be done periodically on your own system, or for users once in awhile, like daily, as they logon.