Re: Possible new Korgo variant. WAS: New SDBot variant

Nick FitzGerald wrote:

> Christopher Harrington wrote:
>
>  
>
> > This appears to be a new Korgo variant based on the similarities in
> > behaviors, not an SDbot.
> >
> > 1. It uses the LSASS vuln to spread.
> > 2. It connects to IRC.
> > 3. It listens on port 113.
> >
> > Stay tuned.....
> >    
>
> Instead of just guessing and messing around with this by yourself, had 
> you considered sending it to major antivirus developers so they can get 
> detection of it out (if, in fact, it is widely unknown)??
>
> To save you looking them up, here are the sample submission addresses 
> of the better-known AV developers.  I'd suggest that you send the 
> suspect file(s) to several of these you consider trustworthy...
>
>   Authentium (Command Antivirus)  <virus@authentium.com>
>   Computer Associates (US)        <virus@ca.com>
>   Computer Associates (Vet/EZ)    <support@vet.com.au>
>   DialogueScience (Dr. Web)       <Antivir@dials.ru>
>   Eset (NOD32)                    <sample@nod32.com>
>   F-Secure Corp.                  <samples@f-secure.com>
>   Frisk Software (F-PROT)         <viruslab@f-prot.com>
>   Grisoft (AVG)                   <virus@grisoft.cz>
>   H+BEDV (AntiVir, Vexira engine) <virus@antivir.de>
>   Kaspersky Labs                  <newvirus@kaspersky.com>
>   Network Associates (McAfee)     <virus_research@nai.com>
>     (use a ZIP file with the password 'infected' without the quotes)
>   Norman (NVC)                    <analysis@norman.no>
>   Panda Software                  <labs@pandasoftware.com>
>   Sophos Plc.                     <support@sophos.com>
>   Symantec (Norton)               <avsubmit@symantec.com>
>   Trend Micro (PC-cillin)         <virus_doctor@trendmicro.com>
>     (Trend may only accept files from users of its products)
>
>
>  
Here's a bigger list, which you should be able to just copy paste into 
your email client. As Nick says, use a ZIP file with a password of 
"infected", and state this in your email. Several of these will 
automatically process your file and email you with the results. Some of 
the smaller ones will respond personally if the file is truly new or 
"interesting".

newvirus@kaspersky.com,  submit@diamondcs.com.au, 
heuristik@antivir.de,  support@nsclean.com,  virus_research@nai.com, 
submit@misec.net,  virus_submission@bitdefender.com, 
submit@lavahelp.com,  virus_doctor@trendmicro.com, 
esafe.virus@eAladdin.com,  virus@asw.cz,  cat@vsnl.com, 
virus_submission@centralcommand.com,  virus@commandcom.com, 
virus@cai.com,  ipevirus@vet.com.au,  Antivir@dials.ru, 
samples@nod32.com,  viruslab@complex.is,  samples@f-secure.com, 
submit@finjan.com,  virus@grisoft.cz,  hauri98@hauri.co.kr, 
analysis@norman.no,  virussamples@pandasoftware.com,  virsample@pspl.com, 
support@sophos.com,  avsubmit@symantec.com,  submit@emsisoft.com, 
submit@ewido.net

This list is the DSL Reports Security Forum malware submission list.

Another resource, to quickly find out if something is truly new, is 
www.virustotal.com. You can submit a file on their web site. It is then 
scanned with the latest signatures from twelve vendors, and they email 
you the results (usually within five minutes).