lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <000401c459f2$ac1e4880$6942a8c0@suntzu>
From: hbryan at dpntech.com (Heather M. Guse Bryan)
Subject: New Worm Discovery - Potential Korgo Variant

http://www.f-secure.com/weblog/
  -----Original Message-----
  From: Michael Young [mailto:mikeyoung@...estechnologies.com]
  Sent: Thursday, June 24, 2004 7:57 AM
  To: full-disclosure@...ts.netsys.com
  Subject: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant



  Yesterday a large client of ours was taken down by what appears to be a
Korgo variant, but I have been unable to locate any information on this
worm.  From what we have discovered, the main process is ?VDisp.exe?.  It is
spreading through unpatched systems vulnerable to the LSASS exploit, and
propagates itself through a serious of randomly chosen ports.  The worm
creates randomly generated services that initialize the process, and also
creates a registry entry in RunServices and Run to load.  I am anxious to
hear any feedback anyone has regarding this issue as we are still attempting
to reduce network traffic and alleviate any remaining issues.  I have
attached a copy of the executable (rename to .exe).



  Thank you,



  Michael Young

  IT Consultant

  Miles Technologies

  (800)-496-8001

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040624/209d0a68/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ