1 rizwank 1.1 # AWSTATS WORMS ADATABASE
 2             #-----------------------------------------------------------------------------
 3             # If you want to add worms to extend AWStats database detection capabilities,
 4             # you must add an entry in WormsSearchIDOrder, WormsHashID and WormsHashLib.
 5             #-----------------------------------------------------------------------------
 6             # $Revision: 1.9 $ - $Author: eldy $ - $Date: 2004/03/04 12:45:10 $
 7             
 8             
 9             #package AWSWORMS;
10             
11             
12             
13             # WormsSearchIDOrder
14             # This list is used to know in which order to search Worm IDs.
15             # This array is array of Worms matching criteria found in URL submitted
16             # to web server. This is a not case sensitive ID.
17             #-----------------------------------------------------------------------------
18             @WormsSearchIDOrder = (
19             '\/default\.ida',
20             '\/null\.idq',
21             'exe\?\/c\+dir',
22 rizwank 1.1 'root\.exe',
23             'admin\.dll',
24             '\/nsiislog\.dll',
25             '\/sumthin',
26             '\/winnt\/system32\/cmd\.exe',
27             '\/_vti_inf\.html',
28             '\/_vti_bin\/shtml\.exe\/_vti_rpc'
29             );
30             
31             # WormsHashID
32             # Each Worms search ID is associated to a string that is unique name of worm.
33             #-----------------------------------------------------------------------------
34             %WormsHashID = (
35             '\/default\.ida','code_red',
36             '\/null\.idq','code_red',
37             'exe\?\/c\+dir','nimda',
38             'root\.exe','nimda',
39             'admin\.dll','nimda',
40             '\/nsiislog\.dll','mpex',
41             '\/sumthin','sumthin',
42             '\/winnt\/system32\/cmd\.exe','nimda',
43 rizwank 1.1 '\/_vti_inf\.html','unknown',
44             '\/_vti_bin\/shtml\.exe\/_vti_rpc','unknown'
45             #'/MSOffice/cltreq.asp'		# Not a worm, a check by IE to see if discussion bar is turned on
46             #'/_vti_bin/owssrv.dll'		# Not a worm, a check by IE to see if discussion bar is turned on
47             );
48             
49             # WormsHashLib
50             # Worms name list ('worm unique id in lower case','worm clear text')
51             # Each unique ID string is associated to a label
52             #-----------------------------------------------------------------------------
53             %WormsHashLib = (
54             'code_red','Code Red family worm',
55             'mpex','IIS Exploit worm',
56             'nimda','Nimda family worm',
57             'sumthin','Sumthin worm',
58             'unknown','Unknown worm'
59             );
60             
61             # WormsHashTarget
62             # Worms target list ('worm unique id in lower case','worm target clear text')
63             # Each unique ID string is associated to a target
64 rizwank 1.1 #-----------------------------------------------------------------------------
65             %WormsHashTarget = (
66             'code_red','IIS',
67             'mpex','IIS',
68             'nimda','IIS',
69             'sumthin','?',
70             'unknown','MS products',
71             );
72             
73             1;