Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant
From: joe smith (joejoesmith.homeip.net)
Date: Thu Jun 24 2004 - 10:27:44 CDT
Kaspersky detect it as Backdoor.Agobot.gen. So another one of the many
other Agobot variants.
Michael Young wrote:
> Yesterday a large client of ours was taken down by what appears to be
> a Korgo variant, but I have been unable to locate any information on
> this worm. From what we have discovered, the main process is
> ‘VDisp.exe’. It is spreading through unpatched systems vulnerable to
> the LSASS exploit, and propagates itself through a serious of randomly
> chosen ports. The worm creates randomly generated services that
> initialize the process, and also creates a registry entry in
> RunServices and Run to load. I am anxious to hear any feedback anyone
> has regarding this issue as we are still attempting to reduce network
> traffic and alleviate any remaining issues. I have attached a copy of
> the executable (rename to .exe).
> Thank you,
> Michael Young
> IT Consultant
> Miles Technologies
Full-Disclosure - We believe in it.