korgo.worm awarness

[bob_man_uk]

hi all just to let you know this korgo worm is rather like the sasser worm but even though you may have the patch for sasser it might still slip through (it did with me) if you have a firewall enable it now, update your antivirus etc, if you use mcafee download the extra dat file. our company has been hit really hard by this virus, just to let ppl know whats going on

matty G

[snapdragin]

Hi bob_man_uk

To add some more information about this worm, Symantec's has a description of the most recent variant here- W32.Korgo.O

"This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011 ) on TCP port 445. It also listens on TCP ports 113, 5111 and a random port between 256 and 8191."

And they have a removal tool for some of the variants, including the most recent one, here: W32.Korgo Removal Tool.

Regards,

snap

[the mul]

Here is some more info.

Development continues as more variants are being added to the growing Korgo worm family. The MS04-011 security patch is needed as the virus family continues to grow with new functional or repackaged variants. []

Korgo Overview: This worm exploits vulnerable Microsoft Windows systems. The worm scans IP addresses in the class A or class B subnets as well as random IP addresses, sending SYN packets on TCP port 445 to identify potential victims. Exploit code is then sent to the host to overflow a buffer in LSASS.EXE and execute the virus on the victim system.

Korgo Removal Tool
http://securityresponse.symantec.com...oval.tool.html

MS04-011 Security Bulletin - the key Prevention patch needed:
http://www.microsoft.com/technet/sec.../MS04-011.mspx


Korgo.R
http://vil.nai.com/vil/content/v_126344.htm

This new variant is a repacked version of its predecessor. Kindly refer to W32/Korgo.worm.p. for more information.


Korgo.Q
http://vil.nai.com/vil/content/v_126343.htm

This self-executing worm spreads by exploiting an MS04-011 Microsoft Windows vulnerability. The worm spreads with a random filename and acts as a remote access server to allow an attacker to control the compromised system.


Korgo.P
http://vil.nai.com/vil/content/v_126343.htm

This self-executing worm spreads by exploiting an MS04-011 Microsoft Windows vulnerability. The worm spreads with a random filename and acts as a remote access server to allow an attacker to control the compromised system.


Korgo.O
http://www.symantec.com/avcenter/ven...2.korgo.o.html

W32.Korgo.O is a variant of W32.Korgo.I. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011) on TCP port 445. It also listens on TCP ports 113, 5111 and a random port between 256 and 8191.


Korgo.N
http://www.symantec.com/avcenter/ven...2.korgo.n.html

W32.Korgo.N is a variant of W32.Korgo.I. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011) on TCP port 445. It also listens on TCP ports 113, 5111 and a random port between 256 and 8191.


Korgo.M
http://www.symantec.com/avcenter/ven...2.korgo.m.html

W32.Korgo.M is a variant of W32.Korgo.I. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011) on TCP port 445. It also listens on TCP port 113 and other random ports between 2000 and 8192.



The Mul

[bob_man_uk]

ok interesting stuff, what iff you were on the recieving end of this, in the past few days I recieved numerous lsass error messages which shut down my machine (my machine is highly ustable and wouldnt allow me to fix the patch) so eventually i installed a firewall, and blocked everything coming in. Now i have scanned my machine 3 or four times with panda and mcafee (extra.dat at the time) but yet it never came up with anything, I used observer from network instruments to scan the packets being transmitted on the network and sure enough even before activating the firewall i was being attacked, so heres the question WHY? why did i get attacked but not infected.

mattyG

[Randy_Bell]

Quote:

Originally Posted by bob_man_uk

.. so heres the question WHY? why did i get attacked but not infected.

Try scanning in Safe Mode to make sure you're not infected; and run one or more of the Korgo/Sasser removal tools. There are several "Sasser-like" worms, including Korgo, that exploit the LSASS vulnerability. IIRC, Bobax and its variants also use this exploit.

[Randy_Bell]

WORM_KORGO.T is a memory-resident worm that propagates by injecting a thread into the Windows Taskbar process that exploits the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. If injecting the thread fails, WORM_KORGO.T attempts to access one of several Web sites, including some located in the Russian Federation, to download a copy of the worm.

Once inside a system, WORM_KORGO.T drops a randomly-named copy of itself in the Windows System Folder, adds itself to the Windows registry to execute at every system startup, and attempts to delete the file FTPUPD.EXE. The worm also leaves a marker under the Windows registry that signifies that a system has already been infected. The worm is also capable of removing autostart entries of other worm programs.

WORM_KORGO.T is currently in-the-wild and affects Windows NT, 2000, and XP operating systems.

If you would like to scan your computer for WORM_KORGO.T or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_KORGO.T is detected and cleaned by Trend Micro pattern file 1.912.00 and above.