| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <001c01c45a65$60fb5fa0$0100007f@c5> From: aditya.deshmukh at online.gateway.technolabs.net (Aditya, ALD [ Aditya Lalit Deshmukh ]) Subject: New Worm Discovery - Potential Korgo Variant Yesterday a large client of ours was taken down by what appears to be a Korgo variant, but I have been unable to locate any information on this worm. From what we have discovered, the main process is 'VDisp.exe'. It is spreading through unpatched systems vulnerable to the LSASS exploit, and propagates itself through a serious of randomly chosen ports. The worm creates randomly generated services that initialize the process, and also creates a registry entry in RunServices and Run to load. I am anxious to hear any feedback anyone has regarding this issue as we are still attempting to reduce network traffic and alleviate any remaining issues. I have attached a copy of the executable (rename to .exe). Where is the .exe file ? if possible write a snort sig for this to isolate which machines are infected and patch them ! for the services if you find any unfamiliar services simply stop them and set the autostart to disables also make a script like this and just run it from the login script and have that script run on all the machies also if possible put the patch in this script also. -Aditya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040625/d0021254/attachment.html
Powered by blists - more mailing lists