MS04-011: Korgo.V - Medium Risk by Secunia, spreading to unpatched Windows PCs

Discussion in 'malware problems & news' started by the mul, Oct 29, 2004.

Thread Status:
Not open for further replies.
  1. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    This repackaged variant of the Korgo worm exploits the MS04-011 security vulnerability and has apparantly spread to a number of unpatched PCs. If you are up to date on Microsoft Windows security patches, you will be automatically protected from this new Internet worm.

    MS04-011: Korgo.V - Medium Risk by Secunia
    http://secunia.com/virus_information/10254/korgo.v/
    http://vil.nai.com/vil/content/v_126518.htm
    http://www.f-secure.com/v-descs/korgo_u.shtml
    http://www.pandasoftware.com/virus_info/en...9002&sind=0

    Win32.Korgo.V is a worm that spreads by exploiting the Microsoft Windows LSASS buffer overflow vulnerability. It also opens a backdoor that allows unauthorized access to an affected machine. The worm is distributed as a 9,353-byte Win32 executable. When executed, Korgo.V creates a copy of itself in the System directory using a randomly-generated filename that is between 5 and 8 characters in length.

    The worm generates random IP addresses and attempts to connect to port 445 of the target IP in order to exploit the LSASS buffer overflow vulnerability (MS04-011). The worm cycles through 0 - 255 of the last octet of the generated IP ranges and attempts connection. If the vulnerability exploit is successful, a copy of the worm is downloaded via a random port from the original machine. It creates up to 5 threads to scan through local IP addresses.

    THE MUL
     
Loading...
Thread Status:
Not open for further replies.