View Full Version : apparant new virus, same threat as sasser/blaster etc.
arrowsmithmidwest
June 7th, 2004, 09:27 PM
hey all,
im hearing about a new virus which has same/similar threats as the blaster and sasser.
i want to know how i can give support on this virus which i dont even know the name yet before customers start ringing and coming in about it.
it is supposed to be getting passwords off computers and sending them back somewhere, sounds just like a bad trojan but it is working on a higher security threat.
Anyone got any idea's on what it is and where a patch is etc.
can't find nothing on microsoft site yet.
Thanks guys
ronjor
June 7th, 2004, 09:43 PM
{QUOTE-> hey all,
im hearing about a new virus which has same/similar threats as the blaster and sasser.
i want to know how i can give support on this virus which i dont even know the name yet before customers start ringing and coming in about it.
it is supposed to be getting passwords off computers and sending them back somewhere, sounds just like a bad trojan but it is working on a higher security threat.
Anyone got any idea's on what it is and where a patch is etc.
can't find nothing on microsoft site yet.
Thanks guys <-QUOTE}
arrowsmithmidwest
Where is this info located?
arrowsmithmidwest
June 7th, 2004, 09:55 PM
a work mate heard it on the news.
i think this may even be it and it was just misinterpretated(spelling) as a worse virus.
Discovered on 7th June '04.
W32.Korgo.H is a variant of W32.Korgo.F. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108), described in Microsoft Security Bulletin MS04-011. It uses TCP port 445 to do this.
W32.Korgo.H listens on TCP ports 113, 3067, and a random port (256-8191).
Variants: W32.Korgo.F
Type: Worm
Infection Length: 10,879 bytes
Systems Affected: Windows 2000, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX, Windows 3.x, Windows 95, Windows 98, Windows Me
CVE References: CAN-2003-0533
ronjor
June 7th, 2004, 10:01 PM
{QUOTE-> a work mate heard it on the news.
i think this may even be it and it was just misinterpretated(spelling) as a worse virus.
Discovered on 7th June '04.
W32.Korgo.H is a variant of W32.Korgo.F. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108), described in Microsoft Security Bulletin MS04-011. It uses TCP port 445 to do this.
W32.Korgo.H listens on TCP ports 113, 3067, and a random port (256-8191).
Variants: W32.Korgo.F
Type: Worm
Infection Length: 10,879 bytes
Systems Affected: Windows 2000, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX, Windows 3.x, Windows 95, Windows 98, Windows Me
CVE References: CAN-2003-0533 <-QUOTE}
NOD hasn't updated since the 4th. If this new Korgo isn't covered, we should get an update soon.
I have had as many as six updates a day during outbreaks.
NOD32 - v.1.781 (20040604)
Virus signature database updates:
IRC/SdBot.ATI, Win32/Agobot.3.ACE, Win32/DiskMaster.E, Win32/Gobot.W, Win32/Korgo.B, Win32/Korgo.E, Win32/Korgo.F, Win32/Korgo.G, Win32/Pandora.L, Win32/Plexus.C, Win32/Plexus.D, Win32/PSW.Hooker.C, Win32/PSW.Hooker.D, Win32/SecondThought.I, Win32/Snowdoor.39, Win32/Spy.Idly.C, Win32/Spy.VB.A, Win32/StartPage.BI, Win32/TrojanDownloader.Agent.AH, Win32/TrojanDownloader.Apropo.D, Win32/TrojanDownloader.Delf.BJ, Win32/TrojanDownloader.IstBar.ES, Win32/TrojanDownloader.Mafia.A, Win32/TrojanDropper.Small.GJ
arrowsmithmidwest
June 7th, 2004, 10:09 PM
{QUOTE-> NOD hasn't updated since the 4th. If this new Korgo isn't covered, we should get an update soon.
I have had as many as six updates a day during outbreaks.
NOD32 - v.1.781 (20040604)
Virus signature database updates:
IRC/SdBot.ATI, Win32/Agobot.3.ACE, Win32/DiskMaster.E, Win32/Gobot.W, Win32/Korgo.B, Win32/Korgo.E, Win32/Korgo.F, Win32/Korgo.G, Win32/Pandora.L, Win32/Plexus.C, Win32/Plexus.D, Win32/PSW.Hooker.C, Win32/PSW.Hooker.D, Win32/SecondThought.I, Win32/Snowdoor.39, Win32/Spy.Idly.C, Win32/Spy.VB.A, Win32/StartPage.BI, Win32/TrojanDownloader.Agent.AH, Win32/TrojanDownloader.Apropo.D, Win32/TrojanDownloader.Delf.BJ, Win32/TrojanDownloader.IstBar.ES, Win32/TrojanDownloader.Mafia.A, Win32/TrojanDropper.Small.GJ <-QUOTE}
Well its there in the RED.
the discovery date was the date on the symantec site.
so maybe thats the date that nortons added it into their database???
ronjor
June 7th, 2004, 10:23 PM
I would say H is the latest version.
W32.Korgo.H is a variant of W32.Korgo.F. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 1010, described in Microsoft Security Bulletin MS04-011. It uses TCP port 445 to do this.
W32.Korgo.H listens on TCP ports 113, 3067, and a random port (256-8191).
Variants: W32.Korgo.F
Type: Worm
Infection Length: 10,879 bytes
I would hope that your customers are aware of the windows patch also.
A thought.
:)
sir_carew
June 7th, 2004, 10:33 PM
Apparently, today ESET hasn't analyzed anything.
I sent many samples (about 30) and they doesn't made a update or reply my message. I think that they're busy in next version of NOD and will analyze customers samples soon.
arrowsmithmidwest
June 7th, 2004, 10:58 PM
{QUOTE->
I would hope that your customers are aware of the windows patch also.
A thought.
:) <-QUOTE}
yeah i checked, the patch which stops sasser actually is the same patch that stops the Korgo.F
so it is already covered by the microsoft patch
ronjor
June 8th, 2004, 08:34 PM
{QUOTE-> yeah i checked, the patch which stops sasser actually is the same patch that stops the Korgo.F
so it is already covered by the microsoft patch <-QUOTE}
Todays update 06/08/04
NOD32 - v.1.782 (20040608)
Virus signature database updates:
IRC/SdBot.ATJ, IRC/SdBot.ATK, IRC/SdBot.ATL, IRC/SdBot.ATM, IRC/SdBot.ATN, IRC/SdBot.ATO, Java/ClassLoader.Dummy.C, Java/ClassLoader.O, Java/Exploit.Bytverify.E, Java/NoCheat.C, Java/TrojanDownloader.OpenConnection.K, Win32/Agobot.3.ACF, Win32/Agobot.3.ACG, Win32/Agobot.3.ACH, Win32/Agobot.3.ACI, Win32/Agobot.3.ACJ, Win32/Agobot.3.ACK, Win32/Agobot.3.ACL, Win32/Agobot.3.ACM, Win32/Agobot.3.ACN, Win32/Agobot.3.ACO, Win32/Agobot.3.ACP, Win32/Agobot.3.ACQ, Win32/Agobot.3.ACR, Win32/Agobot.3.ACS, Win32/Agobot.3.ACT, Win32/Agobot.3.ACU, Win32/Agobot.3.ACV, Win32/Agobot.3.ACW, Win32/Agobot.3.ACX, Win32/Agobot.3.ACY, Win32/Agobot.3.ACZ, Win32/Agobot.3.ADA, Win32/Agobot.3.ADB, Win32/Agobot.3.ADC, Win32/Agobot.3.ADD, Win32/Agobot.3.ADE, Win32/Agobot.3.ADF, Win32/Agobot.3.ADG, Win32/Agobot.3.ADH, Win32/Agobot.3.ADI, Win32/Agobot.3.ADJ, Win32/Agobot.3.ADK, Win32/Agobot.3.ADL, Win32/Agobot.3.ADM, Win32/Agobot.3.ADN, Win32/Agobot.3.ADO, Win32/Agobot.3.ADP, Win32/Agobot.3.ADQ, Win32/Agobot.3.ADR, Win32/Agobot.3.ADS, Win32/Agobot.3.ADT, Win32/Agobot.3.ADU, Win32/Agobot.3.ADV, Win32/Agobot.3.ADW, Win32/Agobot.3.ADX, Win32/Agobot.3.ADY, Win32/Agobot.3.ADZ, Win32/Agobot.NAL, Win32/Bagle.AB2, Win32/Bertle.A, Win32/Delf.BG, Win32/Delf.BQ, Win32/Delf.MW1, Win32/Dialer.BA, Win32/Dialer.NAD, Win32/IRCBot.LE, Win32/Korgo.H, Win32/LanFiltrator.3b, Win32/Nethief.D, Win32/Netsup.A, Win32/PSW.Legendmir.NE, Win32/PSW.QQFile.A, Win32/Qhosts.B, Win32/Rbot.C, Win32/Rbot.D, Win32/Small.AA, Win32/Sneaker.A, Win32/Spy.GWGhost.J, Win32/Spy.KeyLogger.BI, Win32/SpyBot.ADT, Win32/SpyBot.ADU, Win32/StartPage.GV1, Win32/StartPage.IG, Win32/StartPage.IM, Win32/StartPage.IN, Win32/TrojanClicker.Soromo.A, Win32/TrojanClicker.VB.V, Win32/TrojanDownloader.Delf.BT, Win32/TrojanDownloader.Small.FQ, Win32/TrojanDownloader.Small.KN, Win32/TrojanDropper.FunWeb.A, Win32/TrojanDropper.Small.AA, Win32/TrojanDropper.Small.GN, Win32/TrojanDropper.Small.GT, Win32/TrojanDropper.Small.HH, Win32/TrojanProxy.Agent.AB, Win32/TrojanProxy.Ranky.AC, Win32/TrojanProxy.Ranky.AE, Win32/VB.EU
arrowsmithmidwest
June 9th, 2004, 12:20 AM
well obviously nod is doing there job then hey.
vBulletin® Copyright ©2000-2010, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2010, Wilders Security Forums