NUEVA VARIANTE G DEL KORGO CONTROLADA POR MCAFEE

[msc hotline sat]

McAfee nos informa hoy de una nueva variante del KORGO, la G, que ya ayer controlabamos con el ELILSA v 1.7, tras la última actualizacion de dicha utilidad, aunque la seguíamos identificando como F por haber tomado la nomenclatura de vsantivirus, si bien hoy McAfee ya lo detecta con una nueva letra, ka G:



descripcion de McAfee:

__________________________________________





Virus Name Risk Assessment

W32/Korgo.worm.g Corporate User : Low

Home User : Low







Virus Information

Discovery Date: 06/02/2004

Origin: Unknown

Length: 10752

Type: Virus

SubType: Worm

Minimum DAT: 4365 (06/09/2004)

Updated DAT: 4365 (06/09/2004)

Minimum Engine: 4.2.40

Description Added: 06/02/2004

Description Modified: 06/02/2004 2:48 PM (PT)

Description Menu

Virus Characteristics

Symptoms

Method Of Infection

Removal Instructions

Variants / Aliases

Rate This page

Print This Page

Email This Page

Legend







Virus Characteristics:

The worm is detected as W32/Korgo.worm.gen with DAT 4364.



This self-executing worm spreads by exploiting a Microsoft Windows vulnerability:



MS04-011 vulnerability (CAN-2003-0533)http://www.microsoft.com/en/us/default.aspxtechnet/security/bulletin/MS04-011.mspx

The worm spreads with a random filename and acts as a remote access server to allow an attacker to control the compromised system.



Top of Page



Symptoms

The worm copies itself to the WINDOWS SYSTEM directory (such as c:\windows\system32) using a random file name, and creates a registry run key to load automatically at system startup:



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

Run "Disk Defragmenter" = C:\WINDOWS\System32\[random name] .exe

An additional marker key is created:



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless

The worm injects thread code into Windows explorer process. The thread in explorer.exe listens on TCP ports 113, 3067 and other random ports. It attempts to connect the following IRC servers on TCP port 6667:



gaspode.zanet.org.za

lia.zanet.net

london.uk.eu.undernet.org

washington.dc.us.undernet.org

los-angeles.ca.us.undernet.org

brussels.be.eu.undernet.org

caen.fr.eu.undernet.org

flanders.be.eu.undernet.org

graz.at.eu.undernet.org

moscow-advokat.ru

irc.tsk.ru

gaz-prom.ru



Top of Page



Method Of Infection

This worm exploits vulnerable Microsoft Windows systems. The worm scans random IP addresses, sending SYN packets on TCP port 445 to identify potential victims. Exploit code is then sent to the host to overflow a buffer in LSASS.EXE and execute the virus on the victim system.



__________________________________________



Para eliminarlo, conjuntamente con todos los que entran por la vulnerabilidad del LSASS, utilizar el ELILSA.EXE:



https://foros.zonavirus.com/viewtopic.php?t=737



saludos



ms, 3-06-2004