BleepingComputer.com > Korgo family grows as variants "M" thru "R" emerge

Full Version: Korgo family grows as variants "M" thru "R" emerge

BleepingComputer.com > Security > AntiVirus, Firewall and Privacy Products and Protection Methods

harrywaldron

Jun 23 2004, 11:43 AM

Development continues as more variants are being added to the growing Korgo worm family. The MS04-011 security patch is needed as the virus family continues to grow with new functional or repackaged variants. [:'(]

Korgo Overview: This worm exploits vulnerable Microsoft Windows systems. The worm scans IP addresses in the class A or class B subnets as well as random IP addresses, sending SYN packets on TCP port 445 to identify potential victims. Exploit code is then sent to the host to overflow a buffer in LSASS.EXE and execute the virus on the victim system.

Korgo Removal Tool
http://securityresponse.symantec.com/avcen...moval.tool.html

MS04-011 Security Bulletin - the key Prevention patch needed:
http://www.microsoft.com/technet/security/...n/MS04-011.mspx

Korgo.R
http://vil.nai.com/vil/content/v_126344.htm

This new variant is a repacked version of its predecessor. Kindly refer to W32/Korgo.worm.p. for more information.

Korgo.Q
http://vil.nai.com/vil/content/v_126343.htm

This self-executing worm spreads by exploiting an MS04-011 Microsoft Windows vulnerability. The worm spreads with a random filename and acts as a remote access server to allow an attacker to control the compromised system.

Korgo.P
http://vil.nai.com/vil/content/v_126343.htm

This self-executing worm spreads by exploiting an MS04-011 Microsoft Windows vulnerability. The worm spreads with a random filename and acts as a remote access server to allow an attacker to control the compromised system.

Korgo.O
http://www.symantec.com/avcenter/venc/data/w32.korgo.o.html

W32.Korgo.O is a variant of W32.Korgo.I. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011) on TCP port 445. It also listens on TCP ports 113, 5111 and a random port between 256 and 8191.

Korgo.N
http://www.symantec.com/avcenter/venc/data/w32.korgo.n.html

W32.Korgo.N is a variant of W32.Korgo.I. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011) on TCP port 445. It also listens on TCP ports 113, 5111 and a random port between 256 and 8191.

Korgo.M
http://www.symantec.com/avcenter/venc/data/w32.korgo.m.html

W32.Korgo.M is a variant of W32.Korgo.I. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011) on TCP port 445. It also listens on TCP port 113 and other random ports between 2000 and 8192.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.