Re: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant

["Aditya, ALD [ Aditya Lalit Deshmukh ]" <aditya.deshmukh@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>]

  Yesterday a large client of ours was taken down by what appears to be a Korgo 
variant, but I have been unable to locate any information on this worm.  From 
what we have discovered, the main process is 'VDisp.exe'.  It is spreading 
through unpatched systems vulnerable to the LSASS exploit, and propagates 
itself through a serious of randomly chosen ports.  The worm creates randomly 
generated services that initialize the process, and also creates a registry 
entry in RunServices and Run to load.  I am anxious to hear any feedback anyone 
has regarding this issue as we are still attempting to reduce network traffic 
and alleviate any remaining issues.  I have attached a copy of the executable 
(rename to .exe).









  Where is the .exe file ? if possible write a snort sig for this to isolate 
which machines are infected and patch them ! for the services if you find any 
unfamiliar services simply stop them and set the autostart to disables also 
make a script like this and just run it from the login script and have that 
script run on all the machies also if possible put the patch in this script 
also. 



  -Aditya





Þ?+Þ­çn²)à¶?­ç?z»(?©Dv+b¢z1¨¥¶¶ªÃ&j)m­ª?¢