Korgo worm variant Some days ago we received some reports about probes for port 113. Today Symantec upgraded the Korgo .F variant from a Category 2 to Category 3, "due to an increased rate of submissions". This worm bot variant explores the Microsoft Windows LSASS Buffer Overrun Vulnerability (MS04-011). According to Symantec it also listens on port 113, 3067 and other random ports. The F-secure Weblog reports about a .G version. When active, the worm tries to connect on the following IRC servers on port 6667: irc.kar.net gaspode.zanet.org.za lia.zanet.net irc.tsk.ru london.uk.eu.undernet.org washington.dc.us.undernet.org los-angeles.ca.us.undernet.org brussels.be.eu.undernet.org caen.fr.eu.undernet.org flanders.be.eu.undernet.org graz.at.eu.undernet.org gaz-prom.ru moscow-advokat.ru And join the #waffen-ss channel to create a bot with a random name. References: http://www.sarc.com/avcenter/venc/data/w32.korgo.f.html http://www.europe.f-secure.com/v-descs/korgo_g.shtml ----------------------------------------------- Handler on duty: Pedro Bueno (bueno_AT_ieee.org) |
Pedro 155 Posts ISC Handler Jun 3rd 2004 |
Thread locked Subscribe |
Jun 3rd 2004 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!