Posted 14 December 2004 - 04:10 PM
Over the past weekend, we have experienced an outbrake of the korgo virus on our network.
My situation is this:
Friday we opened a MIP (Netscreen NAT) on our firewall directly with an outside legal internet address to an internal 10.11.1.23 address for use of PCAnywhere.
The internal address is protected by mcaffee virus scan enterprise.
My log files from the pc over the weekend show LSASS.EXE 'Blocked by bufferflow protection'.
We have a 99% majority of our computers running this protection program in addition to epolicy console to update the dat files.
This MIP was taken down on Monday morning am.
On Tuesday, some of the 1% not protected computers began filling our outbound internet using port 445. We ran a scan on the pc that had the MIP in question, and found no viruses.
We ran a scan on the unprotected pc's that have a 192.0.0.# address and found korgo.f.
We ran a scan on 4 unprotected pc's that have a 10.11.4.# address and found no viruses.
We have since corrected the remaining 1% pc's.
Here is the question.
Can the rest of the unprotected internal pc's be affected if the NAT is to an address that is blocking the virus?
In otherwords, was the KORGO virus already present in the 192 network pc's, or were the 192 network pc's infected at the time that the NAT was open and if so, why did the 10.11.4 network not get infected.
I guess I am looking for how KORGO infects a network.
Thanks to anyone in advance