Security Incidents mailing list archives
RE: Possible new Korgo variant. WAS: New SDBot variant
From: "Eric Yehle" <eyehle () technicalvelocity com>
Date: Wed, 11 Aug 2004 11:34:35 -0500
Nick, Thanks for listing those sources. Eric Technical Velocity, LLC -----Original Message----- From: Christopher Harrington [mailto:charrington () nitrodata com] Sent: Wednesday, August 11, 2004 8:51 AM To: incidents () securityfocus com Cc: nick () virus-l demon co uk Subject: RE: Possible new Korgo variant. WAS: New SDBot variant Nick, What makes you think that I did not submit it? Maybe you should ask if I did without assuming I did not. For the record this was submitted BEFORE I started my analysis and Trend has identified it as RBOT.GL. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBO T.GL &VSect=T I was just trying to give a heads up to anyone listening. --Chris -----Original Message----- From: Nick FitzGerald [mailto:nick () virus-l demon co uk] Sent: Tuesday, August 10, 2004 8:48 PM To: incidents () securityfocus com Subject: Re: Possible new Korgo variant. WAS: New SDBot variant Christopher Harrington wrote:
This appears to be a new Korgo variant based on the similarities in behaviors, not an SDbot. 1. It uses the LSASS vuln to spread. 2. It connects to IRC. 3. It listens on port 113. Stay tuned.....
Instead of just guessing and messing around with this by yourself, had you considered sending it to major antivirus developers so they can get detection of it out (if, in fact, it is widely unknown)?? To save you looking them up, here are the sample submission addresses of the better-known AV developers. I'd suggest that you send the suspect file(s) to several of these you consider trustworthy... Authentium (Command Antivirus) <virus () authentium com> Computer Associates (US) <virus () ca com> Computer Associates (Vet/EZ) <support () vet com au> DialogueScience (Dr. Web) <Antivir () dials ru> Eset (NOD32) <sample () nod32 com> F-Secure Corp. <samples () f-secure com> Frisk Software (F-PROT) <viruslab () f-prot com> Grisoft (AVG) <virus () grisoft cz> H+BEDV (AntiVir, Vexira engine) <virus () antivir de> Kaspersky Labs <newvirus () kaspersky com> Network Associates (McAfee) <virus_research () nai com> (use a ZIP file with the password 'infected' without the quotes) Norman (NVC) <analysis () norman no> Panda Software <labs () pandasoftware com> Sophos Plc. <support () sophos com> Symantec (Norton) <avsubmit () symantec com> Trend Micro (PC-cillin) <virus_doctor () trendmicro com> (Trend may only accept files from users of its products) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Current thread:
- Possible new Korgo variant. WAS: New SDBot variant Christopher Harrington (Aug 10)
- Re: Possible new Korgo variant. WAS: New SDBot variant Nick FitzGerald (Aug 11)
- Re: Possible new Korgo variant. WAS: New SDBot variant insecure (Aug 11)
- <Possible follow-ups>
- RE: Possible new Korgo variant. WAS: New SDBot variant Christopher Harrington (Aug 11)
- RE: Possible new Korgo variant. WAS: New SDBot variant Eric Yehle (Aug 11)
- Re: Possible new Korgo variant. WAS: New SDBot variant Nick FitzGerald (Aug 11)