korgo.worm awarness

Discussion in 'malware problems & news' started by bob_man_uk, Jun 23, 2004.

Thread Status:
Not open for further replies.
  1. bob_man_uk

    bob_man_uk Registered Member

    Joined:
    Jan 21, 2004
    Posts:
    91
    Location:
    United Kingdom
    hi all just to let you know this korgo worm is rather like the sasser worm but even though you may have the patch for sasser it might still slip through (it did with me) if you have a firewall enable it now, update your antivirus etc, if you use mcafee download the extra dat file. our company has been hit really hard by this virus, just to let ppl know whats going on

    matty G
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi bob_man_uk

    To add some more information about this worm, Symantec's has a description of the most recent variant here- W32.Korgo_O

    "This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011 ) on TCP port 445. It also listens on TCP ports 113, 5111 and a random port between 256 and 8191."

    And they have a removal tool for some of the variants, including the most recent one, here: W32.Korgo Removal Tool.

    Regards,

    snap
     
  3. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    Here is some more info.

    Development continues as more variants are being added to the growing Korgo worm family. The MS04-011 security patch is needed as the virus family continues to grow with new functional or repackaged variants. [:'(]

    Korgo Overview: This worm exploits vulnerable Microsoft Windows systems. The worm scans IP addresses in the class A or class B subnets as well as random IP addresses, sending SYN packets on TCP port 445 to identify potential victims. Exploit code is then sent to the host to overflow a buffer in LSASS.EXE and execute the virus on the victim system.

    Korgo Removal Tool
    http://securityresponse.symantec.com/avcen...moval.tool.html

    MS04-011 Security Bulletin - the key Prevention patch needed:
    http://www.microsoft.com/technet/security/...n/MS04-011.mspx


    Korgo.R
    http://vil.nai.com/vil/content/v_126344.htm

    This new variant is a repacked version of its predecessor. Kindly refer to W32/Korgo.worm.p. for more information.


    Korgo.Q
    http://vil.nai.com/vil/content/v_126343.htm

    This self-executing worm spreads by exploiting an MS04-011 Microsoft Windows vulnerability. The worm spreads with a random filename and acts as a remote access server to allow an attacker to control the compromised system.


    Korgo.P
    http://vil.nai.com/vil/content/v_126343.htm

    This self-executing worm spreads by exploiting an MS04-011 Microsoft Windows vulnerability. The worm spreads with a random filename and acts as a remote access server to allow an attacker to control the compromised system.


    Korgo_O
    http://www.symantec.com/avcenter/venc/data/w32.korgo.o.html

    W32.Korgo_O is a variant of W32.Korgo.I. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011) on TCP port 445. It also listens on TCP ports 113, 5111 and a random port between 256 and 8191.


    Korgo.N
    http://www.symantec.com/avcenter/venc/data/w32.korgo.n.html

    W32.Korgo.N is a variant of W32.Korgo.I. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011) on TCP port 445. It also listens on TCP ports 113, 5111 and a random port between 256 and 8191.


    Korgo.M
    http://www.symantec.com/avcenter/venc/data/w32.korgo.m.html

    W32.Korgo.M is a variant of W32.Korgo.I. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011) on TCP port 445. It also listens on TCP port 113 and other random ports between 2000 and 8192.



    The Mul
     
  4. bob_man_uk

    bob_man_uk Registered Member

    Joined:
    Jan 21, 2004
    Posts:
    91
    Location:
    United Kingdom
    ok interesting stuff, what iff you were on the recieving end of this, in the past few days I recieved numerous lsass error messages which shut down my machine (my machine is highly ustable and wouldnt allow me to fix the patch) so eventually i installed a firewall, and blocked everything coming in. Now i have scanned my machine 3 or four times with panda and mcafee (extra.dat at the time) but yet it never came up with anything, I used observer from network instruments to scan the packets being transmitted on the network and sure enough even before activating the firewall i was being attacked, so heres the question WHY? why did i get attacked but not infected.

    mattyG
     
  5. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Try scanning in Safe Mode to make sure you're not infected; and run one or more of the Korgo/Sasser removal tools. There are several "Sasser-like" worms, including Korgo, that exploit the LSASS vulnerability. IIRC, Bobax and its variants also use this exploit. ;)
     
  6. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Trend Newsletter: WORM_KORGO.T

    WORM_KORGO.T is a memory-resident worm that propagates by injecting a thread into the Windows Taskbar process that exploits the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. If injecting the thread fails, WORM_KORGO.T attempts to access one of several Web sites, including some located in the Russian Federation, to download a copy of the worm.

    Once inside a system, WORM_KORGO.T drops a randomly-named copy of itself in the Windows System Folder, adds itself to the Windows registry to execute at every system startup, and attempts to delete the file FTPUPD.EXE. The worm also leaves a marker under the Windows registry that signifies that a system has already been infected. The worm is also capable of removing autostart entries of other worm programs.

    WORM_KORGO.T is currently in-the-wild and affects Windows NT, 2000, and XP operating systems.

    If you would like to scan your computer for WORM_KORGO.T or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

    WORM_KORGO.T is detected and cleaned by Trend Micro pattern file 1.912.00 and above.
     
Thread Status:
Not open for further replies.