Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Possible new Korgo variant. WAS: New SDBot variant

from [Nick FitzGerald] Network Security [Permanent Link]
Subject: Re: Possible new Korgo variant. WAS: New SDBot variant
Date: Wed, 11 Aug 2004 12:48:29 +1200 
Christopher Harrington wrote:


This appears to be a new Korgo variant based on the similarities in
behaviors, not an SDbot.

1. It uses the LSASS vuln to spread.
2. It connects to IRC.
3. It listens on port 113.

Stay tuned.....


Instead of just guessing and messing around with this by yourself, had 
you considered sending it to major antivirus developers so they can get 
detection of it out (if, in fact, it is widely unknown)??

To save you looking them up, here are the sample submission addresses 
of the better-known AV developers.  I'd suggest that you send the 
suspect file(s) to several of these you consider trustworthy...

   Authentium (Command Antivirus)  <virus@authentium.com>
   Computer Associates (US)        <virus@ca.com>
   Computer Associates (Vet/EZ)    <support@vet.com.au>
   DialogueScience (Dr. Web)       <Antivir@dials.ru>
   Eset (NOD32)                    <sample@nod32.com>
   F-Secure Corp.                  <samples@f-secure.com>
   Frisk Software (F-PROT)         <viruslab@f-prot.com>
   Grisoft (AVG)                   <virus@grisoft.cz>
   H+BEDV (AntiVir, Vexira engine) <virus@antivir.de>
   Kaspersky Labs                  <newvirus@kaspersky.com>
   Network Associates (McAfee)     <virus_research@nai.com>
     (use a ZIP file with the password 'infected' without the quotes)
   Norman (NVC)                    <analysis@norman.no>
   Panda Software                  <labs@pandasoftware.com>
   Sophos Plc.                     <support@sophos.com>
   Symantec (Norton)               <avsubmit@symantec.com>
   Trend Micro (PC-cillin)         <virus_doctor@trendmicro.com>
     (Trend may only accept files from users of its products)


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Possible new Korgo variant. WAS: New SDBot variant, Christopher Harrington
Next by Date:  RE: Possible new Korgo variant. WAS: New SDBot variant, Christopher Harrington
Previous by Thread:  Possible new Korgo variant. WAS: New SDBot variant, Christopher Harrington
Next by Thread:  Re: Possible new Korgo variant. WAS: New SDBot variant, insecure
Indexes:  [Date] [Thread] [Top] [All Lists]