|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Possible new Korgo variant. WAS: New SDBot variant
From: Eric Yehle (eyehle
technicalvelocity.com)
Date: Wed Aug 11 2004 - 11:34:35 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Nick,
Thanks for listing those sources.
Eric
Technical Velocity, LLC
-----Original Message-----
From: Christopher Harrington [mailto:charringtonnitrodata.com]
Sent: Wednesday, August 11, 2004 8:51 AM
To: incidentssecurityfocus.com
Cc: nickvirus-l.demon.co.uk
Subject: RE: Possible new Korgo variant. WAS: New SDBot variant
Nick,
What makes you think that I did not submit it? Maybe you should ask if
I did without assuming I did not. For the record this was submitted
BEFORE I started my analysis and Trend has identified it as RBOT.GL.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBO
T.GL
&VSect=T
I was just trying to give a heads up to anyone listening.
--Chris
-----Original Message-----
From: Nick FitzGerald [mailto:nickvirus-l.demon.co.uk]
Sent: Tuesday, August 10, 2004 8:48 PM
To: incidentssecurityfocus.com
Subject: Re: Possible new Korgo variant. WAS: New SDBot variant
Christopher Harrington wrote:
> This appears to be a new Korgo variant based on the similarities in
> behaviors, not an SDbot.
>
> 1. It uses the LSASS vuln to spread.
> 2. It connects to IRC.
> 3. It listens on port 113.
>
> Stay tuned.....
Instead of just guessing and messing around with this by yourself, had
you considered sending it to major antivirus developers so they can get
detection of it out (if, in fact, it is widely unknown)??
To save you looking them up, here are the sample submission addresses of
the better-known AV developers. I'd suggest that you send the suspect
file(s) to several of these you consider trustworthy...
Authentium (Command Antivirus) <virusauthentium.com>
Computer Associates (US) <virusca.com>
Computer Associates (Vet/EZ) <supportvet.com.au>
DialogueScience (Dr. Web) <Antivirdials.ru>
Eset (NOD32) <samplenod32.com>
F-Secure Corp. <samplesf-secure.com>
Frisk Software (F-PROT) <viruslabf-prot.com>
Grisoft (AVG) <virusgrisoft.cz>
H+BEDV (AntiVir, Vexira engine) <virusantivir.de>
Kaspersky Labs <newviruskaspersky.com>
Network Associates (McAfee) <virus_researchnai.com>
(use a ZIP file with the password 'infected' without the quotes)
Norman (NVC) <analysisnorman.no>
Panda Software <labspandasoftware.com>
Sophos Plc. <supportsophos.com>
Symantec (Norton) <avsubmitsymantec.com>
Trend Micro (PC-cillin) <virus_doctortrendmicro.com>
(Trend may only accept files from users of its products)
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]