Full Disclosure mailing list archives

Re: New Worm Discovery - Potential Korgo Variant

From: Oliver Heinz <h1o () arago de>
Date: Thu, 24 Jun 2004 17:14:55 +0200

Hello,

we also came across a system with a variant of Korgo/Padobot that was NOT
infected with sasser before!
Infection possibly took place via HTTP, a file containing the virus was
found in the temporary internet files.
Looks like this new padobot is also able to spread via Internet Expolrer
vulnerabilities .

Regards, Oliver Heinz

  -------------------------------------------------------------------------
 | arago,                     |  Oliver Heinz                              |
 | Institut fuer komplexes    |  Bereichsleiter Systembetrieb & Security   |
 | Datenmanagement AG         |  eMail: heinz () arago de                     |
 | Am Niddatal 3              |                                            |
 | 60488 Frankfurt am Main    |  http://www.arago.de/                      |
 | Tel: +49-69-40568-401      |  PGP-Fingerprint: a5de d4b4 46b3 4d8b 2646 |
 | Fax: +49-69-40568-111      |                   d4d0 e5fd d842 cc4e 7315 |
  -------------------------------------------------------------------------

  Testen Sie jetzt Ihre IT-Sicherheit: http://portscan.netlimes.de/

On Thu, 24 Jun 2004, Cedric Blancher wrote:

Date: Thu, 24 Jun 2004 16:03:47 +0200
From: Cedric Blancher <blancher () cartel-securite fr>
To: Michael Young <mikeyoung () milestechnologies com>
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] New Worm Discovery - Potential Korgo
    Variant

Le jeu 24/06/2004 Ã  14:57, Michael Young a Ã©crit :

Yesterday a large client of ours was taken down by what appears to be
a Korgo variant, but I have been unable to locate any information on
this worm.  From what we have discovered, the main process is
âVDisp.exeâ.  It is spreading through unpatched systems vulnerable to
the LSASS exploit, and propagates itself through a serious of randomly
chosen ports.


Korgo exploits a buffer overflow within FTP daemon installed by Sasser.
That would mean your client systems were previously infected by
Sasser...

--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Hi! I'm your friendly neighbourhood signature virus.
Copy me to your signature file and help me spread!


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

New Worm Discovery - Potential Korgo Variant Michael Young (Jun 24)
- RE: New Worm Discovery - Potential Korgo Variant Heather M. Guse Bryan (Jun 24)
- Re: New Worm Discovery - Potential Korgo Variant Cedric Blancher (Jun 24)
  - RE: New Worm Discovery - Potential Korgo Variant Michael Young (Jun 24)
    - RE: New Worm Discovery - Potential Korgo Variant Cedric Blancher (Jun 24)
  - Re: New Worm Discovery - Potential Korgo Variant Oliver Heinz (Jun 24)
- Re: New Worm Discovery - Potential Korgo Variant joe smith (Jun 24)
- Re: New Worm Discovery - Potential Korgo Variant Aditya, ALD [ Aditya Lalit Deshmukh ] (Jun 24)
- <Possible follow-ups>
- RE: New Worm Discovery - Potential Korgo Variant Michael Young (Jun 24)
  - RE: MCAFEE E-MAIL SCAN ALERT!~RE: [FULL-DISCLOSURE] NEW WORM DISCOVERY - POTENTIAL KORGO VARIANT Chontzopoulos Dimitris (Jun 24)
    - SV: MCAFEE E-MAIL SCAN ALERT!~RE: [FULL-DISCLOSURE] NEW WORM DISCOVERY - POTENTIAL KORGO VARIANT Peter Kruse (Jun 24)
- Re: New Worm Discovery - Potential Korgo Variant Helmut Hauser (Jun 24)