Full Disclosure mailing list archives

Re: New Worm Discovery - Potential Korgo Variant

From: "Helmut Hauser" <helmut.hauser () intraplan de>
Date: Thu, 24 Jun 2004 20:01:04 +0200

In my opinion
this is an unknown Agobot variant [as told from NAI]

TrendMicro calls it:
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=DOS_AGOBOT%2EGEN
(it changes the host file)
It is packed with one of the latest PECompact.

Put itself in the usual suspect run keys + services as Display Driver
VDisp.exe

Run autoruns from www.sysinternals.com, there are the entries for startup

Would it never stop ?

The author of agobot was (thankfully) arrested, but the source is in the
wild
and some script kiddies are still there :(

Helmut Hauser

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: New Worm Discovery - Potential Korgo Variant, (continued)
- RE: New Worm Discovery - Potential Korgo Variant Heather M. Guse Bryan (Jun 24)
- Re: New Worm Discovery - Potential Korgo Variant Cedric Blancher (Jun 24)
  - RE: New Worm Discovery - Potential Korgo Variant Michael Young (Jun 24)
    - RE: New Worm Discovery - Potential Korgo Variant Cedric Blancher (Jun 24)
  - Re: New Worm Discovery - Potential Korgo Variant Oliver Heinz (Jun 24)
- Re: New Worm Discovery - Potential Korgo Variant joe smith (Jun 24)
- Re: New Worm Discovery - Potential Korgo Variant Aditya, ALD [ Aditya Lalit Deshmukh ] (Jun 24)
- RE: New Worm Discovery - Potential Korgo Variant Michael Young (Jun 24)
  - RE: MCAFEE E-MAIL SCAN ALERT!~RE: [FULL-DISCLOSURE] NEW WORM DISCOVERY - POTENTIAL KORGO VARIANT Chontzopoulos Dimitris (Jun 24)
    - SV: MCAFEE E-MAIL SCAN ALERT!~RE: [FULL-DISCLOSURE] NEW WORM DISCOVERY - POTENTIAL KORGO VARIANT Peter Kruse (Jun 24)
- Re: New Worm Discovery - Potential Korgo Variant Helmut Hauser (Jun 24)