Yesterday a large client of ours
was taken down by what appears to be a Korgo variant, but I have been unable
to locate any information on this worm. From what we have discovered,
the main process is ‘VDisp.exe’. It is spreading through unpatched
systems vulnerable to the LSASS exploit, and propagates itself through a
serious of randomly chosen ports. The worm creates randomly generated
services that initialize the process, and also creates a registry entry in
RunServices and Run to load. I am anxious to hear any feedback anyone
has regarding this issue as we are still attempting to reduce network traffic
and alleviate any remaining issues. I have attached a copy of the
executable (rename to .exe).
Where is the .exe file ? if
possible write a snort sig for this to isolate which machines are infected and
patch them ! for the services if you find any unfamiliar services simply stop
them and set the autostart to disables also make a script like this and just
run it from the login script and have that script run on all the machies also
if possible put the patch in this script also.
-Aditya
|
