apparant new virus, same threat as sasser/blaster etc.

Discussion in 'NOD32 version 2 Forum' started by arrowsmithmidwest, Jun 7, 2004.

Thread Status:
Not open for further replies.
  1. arrowsmithmidwest

    arrowsmithmidwest Registered Member

    Joined:
    May 12, 2004
    Posts:
    165
    Location:
    Midwest
    hey all,

    im hearing about a new virus which has same/similar threats as the blaster and sasser.

    i want to know how i can give support on this virus which i dont even know the name yet before customers start ringing and coming in about it.

    it is supposed to be getting passwords off computers and sending them back somewhere, sounds just like a bad trojan but it is working on a higher security threat.

    Anyone got any idea's on what it is and where a patch is etc.

    can't find nothing on microsoft site yet.

    Thanks guys
     
    arrowsmithmidwest, Jun 7, 2004
    #1
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    164,232
    Location:
    Texas
    arrowsmithmidwest

    Where is this info located?
     
    ronjor, Jun 7, 2004
    #2
  3. arrowsmithmidwest

    arrowsmithmidwest Registered Member

    Joined:
    May 12, 2004
    Posts:
    165
    Location:
    Midwest
    a work mate heard it on the news.

    i think this may even be it and it was just misinterpretated(spelling) as a worse virus.


    Discovered on 7th June '04.

    W32.Korgo.H is a variant of W32.Korgo.F. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 1010:cool:, described in Microsoft Security Bulletin MS04-011. It uses TCP port 445 to do this.

    W32.Korgo.H listens on TCP ports 113, 3067, and a random port (256-8191).

    Variants: W32.Korgo.F
    Type: Worm
    Infection Length: 10,879 bytes

    Systems Affected: Windows 2000, Windows XP
    Systems Not Affected: DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX, Windows 3.x, Windows 95, Windows 98, Windows Me
    CVE References: CAN-2003-0533
     
    arrowsmithmidwest, Jun 7, 2004
    #3
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    164,232
    Location:
    Texas


    NOD hasn't updated since the 4th. If this new Korgo isn't covered, we should get an update soon.

    I have had as many as six updates a day during outbreaks.


    NOD32 - v.1.781 (20040604)
    Virus signature database updates:
    IRC/SdBot.ATI, Win32/Agobot.3.ACE, Win32/DiskMaster.E, Win32/Gobot.W, Win32/Korgo.B, Win32/Korgo.E, Win32/Korgo.F, Win32/Korgo.G, Win32/Pandora.L, Win32/Plexus.C, Win32/Plexus.D, Win32/PSW.Hooker.C, Win32/PSW.Hooker.D, Win32/SecondThought.I, Win32/Snowdoor.39, Win32/Spy.Idly.C, Win32/Spy.VB.A, Win32/StartPage.BI, Win32/TrojanDownloader.Agent.AH, Win32/TrojanDownloader.Apropo.D, Win32/TrojanDownloader.Delf.BJ, Win32/TrojanDownloader.IstBar.ES, Win32/TrojanDownloader.Mafia.A, Win32/TrojanDropper.Small.GJ
     
    ronjor, Jun 7, 2004
    #4
  5. arrowsmithmidwest

    arrowsmithmidwest Registered Member

    Joined:
    May 12, 2004
    Posts:
    165
    Location:
    Midwest

    Well its there in the RED.
    the discovery date was the date on the symantec site.
    so maybe thats the date that nortons added it into their databaseo_O
     
    arrowsmithmidwest, Jun 7, 2004
    #5
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    164,232
    Location:
    Texas
    I would say H is the latest version.


    W32.Korgo.H is a variant of W32.Korgo.F. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 1010, described in Microsoft Security Bulletin MS04-011. It uses TCP port 445 to do this.

    W32.Korgo.H listens on TCP ports 113, 3067, and a random port (256-8191).

    Variants: W32.Korgo.F
    Type: Worm
    Infection Length: 10,879 bytes

    I would hope that your customers are aware of the windows patch also.

    A thought.
    :)
     
    ronjor, Jun 7, 2004
    #6
  7. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Apparently, today ESET hasn't analyzed anything.
    I sent many samples (about 30) and they doesn't made a update or reply my message. I think that they're busy in next version of NOD and will analyze customers samples soon.
     
    sir_carew, Jun 7, 2004
    #7
  8. arrowsmithmidwest

    arrowsmithmidwest Registered Member

    Joined:
    May 12, 2004
    Posts:
    165
    Location:
    Midwest

    yeah i checked, the patch which stops sasser actually is the same patch that stops the Korgo.F

    so it is already covered by the microsoft patch
     
    arrowsmithmidwest, Jun 7, 2004
    #8
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    164,232
    Location:
    Texas
    Todays update 06/08/04


    NOD32 - v.1.782 (2004060:cool:
    Virus signature database updates:
    IRC/SdBot.ATJ, IRC/SdBot.ATK, IRC/SdBot.ATL, IRC/SdBot.ATM, IRC/SdBot.ATN, IRC/SdBot.ATO, Java/ClassLoader.Dummy.C, Java/ClassLoader.O, Java/Exploit.Bytverify.E, Java/NoCheat.C, Java/TrojanDownloader.OpenConnection.K, Win32/Agobot.3.ACF, Win32/Agobot.3.ACG, Win32/Agobot.3.ACH, Win32/Agobot.3.ACI, Win32/Agobot.3.ACJ, Win32/Agobot.3.ACK, Win32/Agobot.3.ACL, Win32/Agobot.3.ACM, Win32/Agobot.3.ACN, Win32/Agobot.3.ACO, Win32/Agobot.3.ACP, Win32/Agobot.3.ACQ, Win32/Agobot.3.ACR, Win32/Agobot.3.ACS, Win32/Agobot.3.ACT, Win32/Agobot.3.ACU, Win32/Agobot.3.ACV, Win32/Agobot.3.ACW, Win32/Agobot.3.ACX, Win32/Agobot.3.ACY, Win32/Agobot.3.ACZ, Win32/Agobot.3.ADA, Win32/Agobot.3.ADB, Win32/Agobot.3.ADC, Win32/Agobot.3.ADD, Win32/Agobot.3.ADE, Win32/Agobot.3.ADF, Win32/Agobot.3.ADG, Win32/Agobot.3.ADH, Win32/Agobot.3.ADI, Win32/Agobot.3.ADJ, Win32/Agobot.3.ADK, Win32/Agobot.3.ADL, Win32/Agobot.3.ADM, Win32/Agobot.3.ADN, Win32/Agobot.3.ADO, Win32/Agobot.3.ADP, Win32/Agobot.3.ADQ, Win32/Agobot.3.ADR, Win32/Agobot.3.ADS, Win32/Agobot.3.ADT, Win32/Agobot.3.ADU, Win32/Agobot.3.ADV, Win32/Agobot.3.ADW, Win32/Agobot.3.ADX, Win32/Agobot.3.ADY, Win32/Agobot.3.ADZ, Win32/Agobot.NAL, Win32/Bagle.AB2, Win32/Bertle.A, Win32/Delf.BG, Win32/Delf.BQ, Win32/Delf.MW1, Win32/Dialer.BA, Win32/Dialer.NAD, Win32/IRCBot.LE, Win32/Korgo.H, Win32/LanFiltrator.3b, Win32/Nethief.D, Win32/Netsup.A, Win32/PSW.Legendmir.NE, Win32/PSW.QQFile.A, Win32/Qhosts.B, Win32/Rbot.C, Win32/Rbot.D, Win32/Small.AA, Win32/Sneaker.A, Win32/Spy.GWGhost.J, Win32/Spy.KeyLogger.BI, Win32/SpyBot.ADT, Win32/SpyBot.ADU, Win32/StartPage.GV1, Win32/StartPage.IG, Win32/StartPage.IM, Win32/StartPage.IN, Win32/TrojanClicker.Soromo.A, Win32/TrojanClicker.VB.V, Win32/TrojanDownloader.Delf.BT, Win32/TrojanDownloader.Small.FQ, Win32/TrojanDownloader.Small.KN, Win32/TrojanDropper.FunWeb.A, Win32/TrojanDropper.Small.AA, Win32/TrojanDropper.Small.GN, Win32/TrojanDropper.Small.GT, Win32/TrojanDropper.Small.HH, Win32/TrojanProxy.Agent.AB, Win32/TrojanProxy.Ranky.AC, Win32/TrojanProxy.Ranky.AE, Win32/VB.EU
     
    ronjor, Jun 8, 2004
    #9
  10. arrowsmithmidwest

    arrowsmithmidwest Registered Member

    Joined:
    May 12, 2004
    Posts:
    165
    Location:
    Midwest
    well obviously nod is doing there job then hey.
     
    arrowsmithmidwest, Jun 9, 2004
    #10
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...