[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Re: New Worm Discovery - Potential Korgo Variant

To: <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: [Full-Disclosure] Re: New Worm Discovery - Potential Korgo Variant
From: "Helmut Hauser" <helmut.hauser@xxxxxxxxxxxx>
Date: Thu, 24 Jun 2004 20:01:04 +0200

In my opinion
this is an unknown Agobot variant [as told from NAI]

TrendMicro calls it:
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=DOS_AGOBOT%2EGEN
(it changes the host file)
It is packed with one of the latest PECompact.

Put itself in the usual suspect run keys + services as Display Driver
VDisp.exe

Run autoruns from www.sysinternals.com, there are the entries for startup

Would it never stop ?

The author of agobot was (thankfully) arrested, but the source is in the
wild
and some script kiddies are still there :(

Helmut Hauser

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: SV: MCAFEE E-MAIL SCAN ALERT!~RE: [FULL-DISCLOSURE] NEW WORM DISCOVERY - POTENTIAL KORGO VARIANT
Next by Date: Re: [Full-Disclosure] Evidence of a ISC being hacked?
Previous by thread: Re: [Full-Disclosure] IE exploit runs code from graphics?
Next by thread: [Full-Disclosure] [ GLSA 200406-19 ] giFT-FastTrack: remote denial of service attack
Index(es):
- Date
- Thread