Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Question on a virus infection


  • Please log in to reply
1 reply to this topic

#1 mhaakens

mhaakens

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 14 December 2004 - 04:10 PM

Over the past weekend, we have experienced an outbrake of the korgo virus on our network.
My situation is this:
Friday we opened a MIP (Netscreen NAT) on our firewall directly with an outside legal internet address to an internal 10.11.1.23 address for use of PCAnywhere.
The internal address is protected by mcaffee virus scan enterprise.
My log files from the pc over the weekend show LSASS.EXE 'Blocked by bufferflow protection'.
We have a 99% majority of our computers running this protection program in addition to epolicy console to update the dat files.
This MIP was taken down on Monday morning am.
On Tuesday, some of the 1% not protected computers began filling our outbound internet using port 445. We ran a scan on the pc that had the MIP in question, and found no viruses.
We ran a scan on the unprotected pc's that have a 192.0.0.# address and found korgo.f.
We ran a scan on 4 unprotected pc's that have a 10.11.4.# address and found no viruses.
We have since corrected the remaining 1% pc's.

Here is the question.
Can the rest of the unprotected internal pc's be affected if the NAT is to an address that is blocking the virus?
In otherwords, was the KORGO virus already present in the 192 network pc's, or were the 192 network pc's infected at the time that the NAT was open and if so, why did the 10.11.4 network not get infected.

I guess I am looking for how KORGO infects a network.

Thanks to anyone in advance
mikeh

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,400 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:03 PM

Posted 23 December 2004 - 12:08 AM

It depends...did you open only the specific ports (ie 5631/5632) in NAT or did you do a full static translation (big no no)

It is possible that the natted machine got hit by an exploit that wasnt detected by mcafee. This can happen.

I am not familiar with korgo, but if its a worm that spreads using exploits then it could have jumped from machine to machine.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users