NUEVA VARIANTE DEL KORGO (P) YA CONTROLADA POR ELILSA.EXE

Cerrado
Avatar de Usuario
msc hotline sat
Mensajes: 93500
Registrado: 09 Mar 2004, 20:39
Ubicación: BARCELONA (ESPAÑA)
Contactar:

NUEVA VARIANTE DEL KORGO (P) YA CONTROLADA POR ELILSA.EXE

Mensaje por msc hotline sat » 18 Jun 2004, 15:48

Explotando la vulnerabilidad LSASS igual que sus anteriores variantes, la nueva variante P del Korgo ya es controlada por la actual version del ELILSA.EXE.



Si descripcion según McAfee es la siguiente:

__________________________________________



Virus Name Risk Assessment

W32/Korgo.worm.p Corporate User : Low

Home User : Low







Virus Information

Discovery Date: 06/18/2004

Origin: Unknown

Length: 9,343 Bytes

Type: Virus

SubType: Worm

Minimum DAT: 4368 (06/23/2004)

Updated DAT: 4368 (06/23/2004)

Minimum Engine: 4.2.40

Description Added: 06/17/2004

Description Modified: 06/18/2004 3:47 AM (PT)

Description Menu

Virus Characteristics

Symptoms

Method Of Infection

Removal Instructions

Variants / Aliases

Rate This page

Print This Page

Email This Page

Legend







Virus Characteristics:

This self-executing worm spreads by exploiting a Microsoft Windows vulnerability:



MS04-011 vulnerability (CAN-2003-0533)http://www.microsoft.com/en/us/default.aspxtechnet/security/bulletin/MS04-011.mspx

The worm spreads with a random filename and acts as a remote access server to allow an attacker to control the compromised system.



Top of Page



Symptoms

The worm copies itself to the WINDOWS SYSTEM directory (such as c:\windows\system32) using a random file name, and creates a registry run key to load automatically at system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

Run "Windows Update" = C:\WINDOWS\System32\[random name] .exe

An additional marker key is created:



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless

The worm is stealthy by nature and hides itself as a thread in Windows explorer.exe. Therefore it's process cannot be viewed in the Process list of Task Manager.



The worm attempts to make a connection to a list of URLs on port 80. The connections are random and intermittent. Some of the targetted URLs are:



citi-bank.ru

kidos-bank.ru

color-bank.ru

asechka.ru

goldensand.ru

adult-empire.com

http://www.redline.ru





Top of Page



Method Of Infection

This worm exploits vulnerable Microsoft Windows systems. The worm scans IP addresses in the class A or class B subnets as well as random IP addresses, sending SYN packets on TCP port 445 to identify potential victims. Exploit code is then sent to the host to overflow a buffer in LSASS.EXE and excute the virus on the victim system



Aliases

Name

W32//Korgo.L (Symantec)

W32/Korgo.N.worm (Panda)

Worm.Win32.Padobot.g (Kaspersky)



__________________________________________



Para acceder al ELILSA:



https://foros.zonavirus.com/viewtopic.php?t=737



saludos



ms, 18-06-2004

Cerrado

Volver a “ALERTAS VIRICAS y utilidades de eliminacion”