MS04-011: Korgo.V - Medium Risk by Secunia, spreading to unpatched Windows PCs

Discussion in 'malware problems & news' started by the mul, Oct 29, 2004.

Thread Status:
Not open for further replies.
  1. the mul

    the mul Registered Member

    Jul 31, 2003
    This repackaged variant of the Korgo worm exploits the MS04-011 security vulnerability and has apparantly spread to a number of unpatched PCs. If you are up to date on Microsoft Windows security patches, you will be automatically protected from this new Internet worm.

    MS04-011: Korgo.V - Medium Risk by Secunia

    Win32.Korgo.V is a worm that spreads by exploiting the Microsoft Windows LSASS buffer overflow vulnerability. It also opens a backdoor that allows unauthorized access to an affected machine. The worm is distributed as a 9,353-byte Win32 executable. When executed, Korgo.V creates a copy of itself in the System directory using a randomly-generated filename that is between 5 and 8 characters in length.

    The worm generates random IP addresses and attempts to connect to port 445 of the target IP in order to exploit the LSASS buffer overflow vulnerability (MS04-011). The worm cycles through 0 - 255 of the last octet of the generated IP ranges and attempts connection. If the vulnerability exploit is successful, a copy of the worm is downloaded via a random port from the original machine. It creates up to 5 threads to scan through local IP addresses.

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.