Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-06-02 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Port 113 - Korgo worm variants

Published: 2004-06-02
Last Updated: 2004-06-03 00:00:49 UTC
by Pedro Bueno (Version: 1)
0 comment(s)

Korgo worm variant

Some days ago we received some reports about probes for port 113.
Today Symantec upgraded the Korgo .F variant from a Category 2 to Category 3, "due to an increased rate of submissions".

This worm bot variant explores the Microsoft Windows LSASS Buffer Overrun Vulnerability (MS04-011). According to Symantec it also listens on port 113, 3067 and other random ports.

The F-secure Weblog reports about a .G version.

When active, the worm tries to connect on the following IRC servers on port 6667:

irc.kar.net

gaspode.zanet.org.za

lia.zanet.net

irc.tsk.ru

london.uk.eu.undernet.org

washington.dc.us.undernet.org

los-angeles.ca.us.undernet.org

brussels.be.eu.undernet.org

caen.fr.eu.undernet.org

flanders.be.eu.undernet.org

graz.at.eu.undernet.org

gaz-prom.ru

moscow-advokat.ru


And join the #waffen-ss channel to create a bot with a random name.
References: http://www.sarc.com/avcenter/venc/data/w32.korgo.f.html

http://www.europe.f-secure.com/v-descs/korgo_g.shtml
-----------------------------------------------

Handler on duty: Pedro Bueno (bueno_AT_ieee.org)
Keywords:
0 comment(s)
Diary Archives