[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant

To: Michael Young <mikeyoung@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant
From: joe smith <joe@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 24 Jun 2004 10:27:44 -0500

Kaspersky detect it as Backdoor.Agobot.gen. So another one of the many other Agobot variants.

Michael Young wrote:

Yesterday a large client of ours was taken down by what appears to be a Korgo variant, but I have been unable to locate any information on this worm. From what we have discovered, the main process is ‘VDisp.exe’. It is spreading through unpatched systems vulnerable to the LSASS exploit, and propagates itself through a serious of randomly chosen ports. The worm creates randomly generated services that initialize the process, and also creates a registry entry in RunServices and Run to load. I am anxious to hear any feedback anyone has regarding this issue as we are still attempting to reduce network traffic and alleviate any remaining issues. I have attached a copy of the executable (rename to .exe).

Thank you,

Michael Young

IT Consultant

Miles Technologies

(800)-496-8001


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] New Worm Discovery - Potential Korgo Variant
  - From: Michael Young

Prev by Date: RE: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant
Next by Date: [Full-Disclosure] New Viruses
Previous by thread: Re: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant
Next by thread: Re: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant
Index(es):
- Date
- Thread