worms = {

# These are the worms recognized.  The "name" value is the name of the worm;
# the "label" column is a substring that must be in the page field value
# for the log entry to be considered a hit from that worm.
#
# If you know of another well-known worm, and if you create your own
# entry for it below, please contact the vendors of this software, so
# we can add it to later versions.  

  # Code Red (W32/Bady, I-Worm.Bady, W32/Bady.worm)
  # Added: July 19, 2001
  # Info: http://www.cert.org/advisories/CA-2001-19.html
  # Removal: http://securityresponse.symantec.com/avcenter/tools.list.html

  code_red_1 = {
    label = "Code Red"
    substring = /default.ida?
  }

  code_red_2 = {
    label = "Code Red"
    substring = /NULL.idq
  }

  # W32/Nimda worm (W32/Nimda@MM [McAfee], PE_NIMDA.A [Trend], I-Worm.Nimda [Kaspersky], W32/Nimda-A [Sophos], Win32.Nimda.A [Computer Associates])
  # Added: September 18, 2001
  # Info: http://www.cert.org/advisories/CA-2001-26.html
  # Removal: http://securityresponse.symantec.com/avcenter/tools.list.html
  
  nimda_1 = {
    label = Nimda
    substring = /scripts/root.exe
  }

  nimda_2 = {
    label = Nimda
    substring = /MSADC/root.exe
  }

  nimda_3 = {
    label = Nimda
    substring = /scripts/Admin.dll
  }

  nimda_4 = {
    label = Nimda
    substring = /MSADC/Admin.dll
  }

  nimda_5 = {
    label = Nimda
    substring = /c/Admin.dll
  }

  nimda_6 = {
    label = Nimda
    substring = ../Admin.dll
  }

  nimda_7 = {
    label = Nimda
    substring = /winnt/system32/cmd.exe
  }

  # W32/Sasser (W32/Sasser.worm.a [McAfee], WORM_SASSER.A [Trend], Worm.Win32.Sasser.a [Kaspersky], W32/Sasser-A [Sophos], Win32.Sasser.A [Computer Associates], Sasser [F-Secure], W32/Sasser.A.worm [Panda])
  # Added: September 28, 2004
  # Info: http://www.kb.cert.org/vuls/id/753212
  # Info: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
  # Removal: http://securityresponse.symantec.com/avcenter/tools.list.html

  sasser_1 = {
    label = "Sasser"
    substring = "/_vti_inf.html"
  }

  sasser_2 = {
    label = "Sasser"
    substring = "/_vti_bin/shtml.exe/_vti_rpc"
  }

  # Webdav (W32/Nachi.worm.b [McAfee], W32/Nachi-B [Sophos], Win32.Nachi.B [Computer Associates], WORM_NACHI.B [Trend], Worm.Win32.Welchia.b [Kaspersky])
  # Added: March 17, 2003
  # Info: http://www.cert.org/advisories/CA-2003-09.html
  # Removal: http://securityresponse.symantec.com/avcenter/tools.list.html

  webdav = {
    label = "WEBDAV"
    substring = "/\\0x90\\0x02\\0xb1"
  }

  # Microsoft SharePoint™ Portal Server
  # Added: 1-Jun-1993
  # Info: http://www.microsoft.com/sharepoint/
  # No removal is required, this is not a worm,
  # but skews the log data sufficiently to warrent removal
  # of this data from the log. A log filter could be created
  # to do this but we have included it here for speed.
  
  sharepoint_1 = {
    label = "SharePoint"
    substring = "/MSOffice/cltreq.asp?"
  }

  sharepoint_2 = {
    label = "SharePoint"
    substring = "/_vti_bin/owssvr.dll?"
  }

} # worms