Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Possible new Korgo variant. WAS: New SDBot variant

from [Eric Yehle] Network Security [Permanent Link]
Subject: RE: Possible new Korgo variant. WAS: New SDBot variant
Date: Wed, 11 Aug 2004 11:34:35 -0500 
Nick,

        Thanks for listing those sources.

Eric
Technical Velocity, LLC 

-----Original Message-----
From: Christopher Harrington [mailto:charrington@nitrodata.com] 
Sent: Wednesday, August 11, 2004 8:51 AM
To: incidents@securityfocus.com
Cc: nick@virus-l.demon.co.uk
Subject: RE: Possible new Korgo variant. WAS: New SDBot variant

Nick,

What makes you think that I did not submit it?  Maybe you should ask if
I did without assuming I did not. For the record this was submitted
BEFORE I started my analysis and Trend has identified it as RBOT.GL.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBO
T.GL
&VSect=T

I was just trying to give a heads up to anyone listening.

--Chris

-----Original Message-----
From: Nick FitzGerald [mailto:nick@virus-l.demon.co.uk]
Sent: Tuesday, August 10, 2004 8:48 PM
To: incidents@securityfocus.com
Subject: Re: Possible new Korgo variant. WAS: New SDBot variant

Christopher Harrington wrote:


This appears to be a new Korgo variant based on the similarities in 
behaviors, not an SDbot.

1. It uses the LSASS vuln to spread.
2. It connects to IRC.
3. It listens on port 113.

Stay tuned.....


Instead of just guessing and messing around with this by yourself, had
you considered sending it to major antivirus developers so they can get
detection of it out (if, in fact, it is widely unknown)??

To save you looking them up, here are the sample submission addresses of
the better-known AV developers.  I'd suggest that you send the suspect
file(s) to several of these you consider trustworthy...

   Authentium (Command Antivirus)  <virus@authentium.com>
   Computer Associates (US)        <virus@ca.com>
   Computer Associates (Vet/EZ)    <support@vet.com.au>
   DialogueScience (Dr. Web)       <Antivir@dials.ru>
   Eset (NOD32)                    <sample@nod32.com>
   F-Secure Corp.                  <samples@f-secure.com>
   Frisk Software (F-PROT)         <viruslab@f-prot.com>
   Grisoft (AVG)                   <virus@grisoft.cz>
   H+BEDV (AntiVir, Vexira engine) <virus@antivir.de>
   Kaspersky Labs                  <newvirus@kaspersky.com>
   Network Associates (McAfee)     <virus_research@nai.com>
     (use a ZIP file with the password 'infected' without the quotes)
   Norman (NVC)                    <analysis@norman.no>
   Panda Software                  <labs@pandasoftware.com>
   Sophos Plc.                     <support@sophos.com>
   Symantec (Norton)               <avsubmit@symantec.com>
   Trend Micro (PC-cillin)         <virus_doctor@trendmicro.com>
     (Trend may only accept files from users of its products)


--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Possible new Korgo variant. WAS: New SDBot variant, Christopher Harrington
Next by Date:  Re: Possible new Korgo variant. WAS: New SDBot variant, insecure
Previous by Thread:  RE: Possible new Korgo variant. WAS: New SDBot variant, Christopher Harrington
Next by Thread:  Snort signatures for rxbot / rbot.gl, Christopher Harrington
Indexes:  [Date] [Thread] [Top] [All Lists]