Re: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant

From: Aditya, ALD [ Aditya Lalit Deshmukh ] (aditya.deshmukh_at_online.gateway.technolabs.net)
Date: 06/25/04

  • Next message: lsi: "[Full-Disclosure] defamatory joe job attack by botnet" 
    To: "Michael Young" <mikeyoung@milestechnologies.com>, <full-disclosure@lists.netsys.com>
Date: Fri, 25 Jun 2004 09:04:53 +0530



      Yesterday a large client of ours was taken down by what appears to be a Korgo variant, but I have been unable to locate any information on this worm. From what we have discovered, the main process is 'VDisp.exe'. It is spreading through unpatched systems vulnerable to the LSASS exploit, and propagates itself through a serious of randomly chosen ports. The worm creates randomly generated services that initialize the process, and also creates a registry entry in RunServices and Run to load. I am anxious to hear any feedback anyone has regarding this issue as we are still attempting to reduce network traffic and alleviate any remaining issues. I have attached a copy of the executable (rename to .exe).









      Where is the .exe file ? if possible write a snort sig for this to isolate which machines are infected and patch them ! for the services if you find any unfamiliar services simply stop them and set the autostart to disables also make a script like this and just run it from the login script and have that script run on all the machies also if possible put the patch in this script also.



      -Aditya





    éb½êÞvë"ž axZÞx÷«²‰Ú”Gb¶*'¡óŠ[kj¬0Âf¢–ÚÚ©Ê&

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: lsi: "[Full-Disclosure] defamatory joe job attack by botnet"