|
Title: The Korgo Virus Post by: Sippo on Wednesday, February 8, 2006, 11:23:22 Is pissing me off! :x
Can get through any up-to date virus software and is a nightmare to remove! Be warned! :x Title: The Korgo Virus Post by: STFCBird on Wednesday, February 8, 2006, 11:46:52 you should be more careful :wink:
Title: The Korgo Virus Post by: Simon Pieman on Wednesday, February 8, 2006, 13:47:05 Is this a new one then, because I thought Korgo was a couple of years old.
Title: The Korgo Virus Post by: Sippo on Wednesday, February 8, 2006, 15:37:31 I'm not too sure. Its new to me, and all my customers have reported it to me. I think there are different worms. The latest one is Korgo.U.
I've had to download/upgrade allsorts just to get rid of it. Title: The Korgo Virus Post by: Spud on Wednesday, February 8, 2006, 15:56:31 Ive heard that the companies that make the anti virus programmes are the ones who create the virus' in the first place, as it keeps them in business.
Title: The Korgo Virus Post by: Simon Pieman on Wednesday, February 8, 2006, 15:58:28 The korgo.u virus was reported in june 2004 so unless it's a newer one the rest of us should be ok (thank funk).
Title: The Korgo Virus Post by: McLovin on Wednesday, February 8, 2006, 16:06:19 Symptoms
The worm copies itself to the WINDOWS SYSTEM directory (such as c:\windows\system32) using a random file name, and creates a registry run key to load automatically at system startup: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "Windows Update" = C:\WINDOWS\System32\[random name] .exe An additional marker key is created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless The worm is stealthy by nature and hides itself as a thread in the legitimate Windows EXPLORER.EXE process. Because of this, its process cannot be viewed in the process list using Task Manager. The worm attempts to make a connection to a list of URLs on port 80. The connections are random and intermittent. Some of the targetted URLs are as follows: 1cvv.ru www.redline.ru filesearch.ru roboxchange.com fethard.biz asechka.ru master-x.com color-bank.ru kavkaz.tv crutop.nu kidos-bank.ru parex-bank.ru adult-empire.com konfiskat.org citi-bank.ru xware.cjb.ne mazafaka.ru The worm opens up ports on the infected machine, listening on 113 and 5111 (plus a random port as well). Finally, the worm will remove certain Registry values from the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run The following values are deleted: Windows Update MS Config v13 avserve2.exeUpdate Service avserve.exe Windows Update Service WinUpdate SysTray Bot Loader System Restore Service Disk Defragmenter Windows Security Manager Method of Infection This worm exploits vulnerable Microsoft Windows systems. The worm scans IP addresses in the class A or class B subnets as well as random IP addresses, sending SYN packets on TCP port 445 to identify potential victims. Exploit code is then sent to the host to overflow a buffer in LSASS.EXE and execute the virus on the victim system. Title: The Korgo Virus Post by: Sippo on Wednesday, February 8, 2006, 16:32:39 i downloaded the virus removal tool from:
http://support.microsoft.com/?kbid=890830 Then symantec's update, then a security and windows update and hopefully, touchwood, has fixed it. There must be an easier/quicker way surely? |