Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS04-011: Korgo.V - Medium Risk by Secunia


  • Please log in to reply
No replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:05:19 AM

Posted 28 October 2004 - 05:05 AM

This repackaged variant of the Korgo worm exploits the MS04-011 security vulnerability and has apparantly spread to a number of unpatched PCs. If you are up to date on Microsoft Windows security patches, you will be automatically protected from this new Internet worm.

MS04-011: Korgo.V - Medium Risk by Secunia
http://secunia.com/virus_information/10254/korgo.v/
http://vil.nai.com/vil/content/v_126518.htm
http://www.f-secure.com/v-descs/korgo_u.shtml
http://www.pandasoftware.com/virus_info/en...9002&sind=0

Win32.Korgo.V is a worm that spreads by exploiting the Microsoft Windows LSASS buffer overflow vulnerability. It also opens a backdoor that allows unauthorized access to an affected machine. The worm is distributed as a 9,353-byte Win32 executable. When executed, Korgo.V creates a copy of itself in the System directory using a randomly-generated filename that is between 5 and 8 characters in length.

The worm generates random IP addresses and attempts to connect to port 445 of the target IP in order to exploit the LSASS buffer overflow vulnerability (MS04-011). The worm cycles through 0 - 255 of the last octet of the generated IP ranges and attempts connection. If the vulnerability exploit is successful, a copy of the worm is downloaded via a random port from the original machine. It creates up to 5 threads to scan through local IP addresses.

http://www3.ca.com/securityadvisor/virusinfo/showimage.aspx?caid=39430&name=sasser_crash.gif

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users