Re: New Worm Discovery - Potential Korgo Variant

["Aditya, ALD [ Aditya Lalit Deshmukh ]" <aditya.deshmukh () online gateway technolabs net>]

  Yesterday a large client of ours was taken down by what appears to be a Korgo variant, but I have been unable to 
locate any information on this worm.  From what we have discovered, the main process is 'VDisp.exe'.  It is spreading 
through unpatched systems vulnerable to the LSASS exploit, and propagates itself through a serious of randomly chosen 
ports.  The worm creates randomly generated services that initialize the process, and also creates a registry entry in 
RunServices and Run to load.  I am anxious to hear any feedback anyone has regarding this issue as we are still 
attempting to reduce network traffic and alleviate any remaining issues.  I have attached a copy of the executable 
(rename to .exe).









  Where is the .exe file ? if possible write a snort sig for this to isolate which machines are infected and patch them 
! for the services if you find any unfamiliar services simply stop them and set the autostart to disables also make a 
script like this and just run it from the login script and have that script run on all the machies also if possible put 
the patch in this script also. 



  -Aditya