Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: New Worm Discovery - Potential Korgo Variant

From: "Michael Young" <mikeyoung () milestechnologies com>
Date: Thu, 24 Jun 2004 10:14:19 -0400
The worm clearly exploits the LSASS overflow and is not spreading through
the FTP dameon left by Sasser.

-----Original Message-----
From: Cedric Blancher [mailto:blancher () cartel-securite fr] 
Sent: Thursday, June 24, 2004 10:04 AM
To: Michael Young
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] New Worm Discovery - Potential Korgo Variant

Le jeu 24/06/2004 à 14:57, Michael Young a écrit :

Yesterday a large client of ours was taken down by what appears to be
a Korgo variant, but I have been unable to locate any information on
this worm.  From what we have discovered, the main process is
‘VDisp.exe’.  It is spreading through unpatched systems vulnerable to
the LSASS exploit, and propagates itself through a serious of randomly
chosen ports.


Korgo exploits a buffer overflow within FTP daemon installed by Sasser.
That would mean your client systems were previously infected by
Sasser...

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Hi! I'm your friendly neighbourhood signature virus.
Copy me to your signature file and help me spread!


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: