 Korgo family grows as variants "M" thru "R" emerge |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.| Important Announcement: The winners of the BC Million Post contest have been announced. You can read who the winners are at this post. - BleepingComputer Management |
  |
  Jun 23 2004, 11:43 AM
Post
#1
|
|
 Security Reporter  Group: News Reporters Posts: 491 Joined: 10-April 04 From: Roanoke, Virginia Member No.: 107  |
Korgo Overview: This worm exploits vulnerable Microsoft Windows systems. The worm scans IP addresses in the class A or class B subnets as well as random IP addresses, sending SYN packets on TCP port 445 to identify potential victims. Exploit code is then sent to the host to overflow a buffer in LSASS.EXE and execute the virus on the victim system. Korgo Removal Tool http://securityresponse.symantec.com/avcen...moval.tool.html MS04-011 Security Bulletin - the key Prevention patch needed: http://www.microsoft.com/technet/security/...n/MS04-011.mspx Korgo.R http://vil.nai.com/vil/content/v_126344.htm This new variant is a repacked version of its predecessor. Kindly refer to W32/Korgo.worm.p. for more information. Korgo.Q http://vil.nai.com/vil/content/v_126343.htm This self-executing worm spreads by exploiting an MS04-011 Microsoft Windows vulnerability. The worm spreads with a random filename and acts as a remote access server to allow an attacker to control the compromised system. Korgo.P http://vil.nai.com/vil/content/v_126343.htm This self-executing worm spreads by exploiting an MS04-011 Microsoft Windows vulnerability. The worm spreads with a random filename and acts as a remote access server to allow an attacker to control the compromised system. Korgo.O http://www.symantec.com/avcenter/venc/data/w32.korgo.o.html W32.Korgo.O is a variant of W32.Korgo.I. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011) on TCP port 445. It also listens on TCP ports 113, 5111 and a random port between 256 and 8191. Korgo.N http://www.symantec.com/avcenter/venc/data/w32.korgo.n.html W32.Korgo.N is a variant of W32.Korgo.I. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011) on TCP port 445. It also listens on TCP ports 113, 5111 and a random port between 256 and 8191. Korgo.M http://www.symantec.com/avcenter/venc/data/w32.korgo.m.html W32.Korgo.M is a variant of W32.Korgo.I. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011) on TCP port 445. It also listens on TCP port 113 and other random ports between 2000 and 8192. -------------------- |
 |
 
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 21st November 2008 - 08:41 PM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.