Question on Korgo and Worm

Discussion in 'Virus Information' started by Rex, Jun 20, 2004.

  1. Rex

    Rex Guest

    Dear Expert,

    I have a question about the Korgo and worm.
    Last week my computer have attacted by Korgo exploitsthe Lsass
    vulnerability. It make my computer restart. My computer had install the AV
    software with latest viruse definition.
    Accoding to TrendMicro and Mcafee the Korgo have following symtoms:
    1. create some file under system directory
    2. Create the entry in registry
    3. Open some port
    4. Broadcast and attacted other comuter
    5. Restart the computer after 60s
    6. Make the user cannot shutdown or restart the computer

    But my computer only have symtom 5 and 6. After I check the registry and
    system folder. I cannot find any abnormal.
    I use the AV softwae to scan my computer, it cannot find any virus.

    I have some question.

    1. Is it normal ?
    2. Why I cannot scan the virus using AV software?
    3. Why it just restart ?
    4. Why it haven't change the registry ?
    5. Where can I get the technical virus infomation? e.g. virus source code,
    virus attack packet ?

    Thank you very much
    Rex
     
    Rex, Jun 20, 2004
    #1
    1. Advertisements

  2. Rex

    Jason Wade Guest

    First, if you're on winxp, enable your firewall:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;283673

    If not, get one of the alternative firewalls:
    http://www.zonelabs.com/store/content/home.jsp
    http://www.kerio.com/kpf_home.html
    http://smb.sygate.com/products/spf/spf_ov.htm

    Many viruses, spywares and trojans prevent you from running av software.
    See if you can get to these websites to do online virus scans:
    http://www.bitdefender.com/scan/license.php
    http://www.ravantivirus.com/scan/
    http://www.pandasoftware.com/activescan/
    http://housecall.trendmicro.com/
    http://us.mcafee.com/root/mfs/default.asp
    http://www.kaspersky.com/remoteviruschk.html

    Read Andrew Carpenter's faq in this newsgroup and check out
    these web sites to get all your questions answered:

    Windows XP: Surviving the First Day:
    http://www.sans.org/rr/papers/index.php?id=1298

    CERT/CC: Tech Tip: Before Connect a New Computer to the Internet
    http://www.cert.org/tech_tips/before_you_plug_in.html


    good luck
     
    Jason Wade, Jun 20, 2004
    #2
    1. Advertisements

  3. Obtain McAfee's virus and worm removal tool, Stinger: http://vil.nai.com/vil/stinger/

    1) If you are using WinME or WinXP, disable System Restore
    http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
    2) Reboot your PC into Safe Mode
    3) Using McAfee Stinger, perform a Full Scan of your platform and clean/delete any
    infectors found
    4) Restart your PC and perform a "final" Full Scan of your platform
    5) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
    System Restore preferences, (e.g. HD space to use suggested 200 ~ 400MB),
    reboot your PC.
    6) If you are using WinME or WinXP, create a new Restore point
    7) Please report back your results

    As for your questions...
    | 1. Is it normal ?
    There is NO normality to viral infections.

    | 2. Why I cannot scan the virus using AV software?
    Because it shuts down the AV application.

    | 3. Why it just restart ?
    Because it loads from obscure locations in the Registry, etc.

    | 4. Why it haven't change the registry ?
    Is this English ?
    If you mean "Why doesn't it change the registry ?
    There are multiple variants.
    W32/Korgo.worm.b
    W32/Korgo.worm.c
    W32/Korgo.worm.e
    W32/Korgo.worm.f
    W32/Korgo.worm.g
    W32/Korgo.worm.i
    W32/Korgo.worm.p

    | 5. Where can I get the technical virus infomation? e.g. virus source code,
    | virus attack packet ?
    You can details from the AV libraries such as http://vil.nai.com/vil/advsearch.asp
    W32/Korgo.worm.c -- http://vil.nai.com/vil/content/v_125932.htm

    As for virus code - It is rude, Off Topic and improper to ask for virus source code in an
    Anti Virus News group!

    Dave




    | Dear Expert,
    |
    | I have a question about the Korgo and worm.
    | Last week my computer have attacted by Korgo exploitsthe Lsass
    | vulnerability. It make my computer restart. My computer had install the AV
    | software with latest viruse definition.
    | Accoding to TrendMicro and Mcafee the Korgo have following symtoms:
    | 1. create some file under system directory
    | 2. Create the entry in registry
    | 3. Open some port
    | 4. Broadcast and attacted other comuter
    | 5. Restart the computer after 60s
    | 6. Make the user cannot shutdown or restart the computer
    |
    | But my computer only have symtom 5 and 6. After I check the registry and
    | system folder. I cannot find any abnormal.
    | I use the AV softwae to scan my computer, it cannot find any virus.
    |
    | I have some question.
    |
    | 1. Is it normal ?
    | 2. Why I cannot scan the virus using AV software?
    | 3. Why it just restart ?
    | 4. Why it haven't change the registry ?
    | 5. Where can I get the technical virus infomation? e.g. virus source code,
    | virus attack packet ?
    |
    | Thank you very much
    | Rex
    |
    |
     
    David H. Lipman, Jun 20, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.