W32.Korgo Worm

[Shelly21]

I was getting ready to leave, got sucked in by the management to stay and help with the possible out break of Korgo worm here.

Geez, like I could do anything with 800 plus desktops infected....

 

[PanzerIV]

Get to work! You might finish by morning....Friday morning!

 

[Mr N8]

Have fun.

How did that get past the firewall?

 

[Shelly21]

I don't know how that got passed the firewall, you'd think never since just last week, I had to wait four days for the "bastards" at DMZ to open a hole from XXXX to a print server that I built.

I'm running Shavlik's scanner on 4 servers that they told me were infected. I'm kinda baffled since they are new patched 2K servers that we just put into production. And they're running Trend!

 

[Shelly21]

Update, 800+ "desktops" are now infected. I'm still at work, the management wants us to "manually" patch and fix each desktops remotely. geeze, with 6 people at 5 minutes+ per desktop. I'll be here forever.

I'm trying to get Norton System Center to push it out, hopefully I won't be here until mid night or later.

 

[m2kewl]

whew, good thing we patchlinked all wks and servers for that MS update

 

[GhettoFob]

what does this virus do?

 

[Shelly21]

Reboot the workstation/server over and over again.

You don't even have time to patch it. You have to run a "stop reboot" and then patch it.

 

[ViRGE]

How on Earth are you guys even infected? Korgo uses the same exploit as Sasser, so that should have been patched months ago.

 

[Shelly21]

I have no clue. All of the servers that we are responsible for are fine. Because *I* was the one who patched them all months ago.

All the infected machines are desktops. Now, I don't understand why I'm still at work when this is obviously a desktop issue. But I'll make them pay. starting with my dinner.

 

[ViRGE]

For 800+ desktops, it better be some nice fillet Mignon.

 

[FoBoT]

we've got some sasser.C , but no Korgo (yet, cross fingers)

 

[aircooled]

Unless your firewall is wide open and/or your machine are not patched up to date, you should be fine.

 

[halik]

haha! thats what you get for not updating you machines...


whats the date of the patch btw? I dont think ive done any critical updates at work since the sasser

 

[Shelly21]

They are "wrapping" ports now to prevent further infection.

I'm working with the site in Utah with 50+ desktops while eating "Lobster Cantonese". I fear I'll be here until tomorrow. I've been here since 8am and I'm tire and stinky.

 

[Shelly21]

Originally posted by: halik
haha! thats what you get for not updating you machines...


whats the date of the patch btw? I dont think ive done any critical updates at work since the sasser

Well, like I said, I updated all my servers, I'm just here to clean up for the desktop support.

The patch in question is 4-011

 

[Cable God]

Shelly, do you guys (and gals :beer: ) run SUS locally?

 

[Shelly21]

I do for my servers.

I think the desktop team uses SMS for desktop updates.

I'm still here, and I'm still on batch one of 26 desktops. 5-6 people just got sucked in by the management to work from home.

 

[halik]

Originally posted by: Shelly21
I do for my servers.

I think the desktop team uses SMS for desktop updates.

I'm still here, and I'm still on batch one of 26 desktops. 5-6 people just got sucked in by the management to work from home.

heh you run windows on your servers? I guess you like the challenge and checking cert.org every 6 hours ....

 

[Shelly21]

Er, we still have servers that were upgraded from windows 3.51 to NT4.0 running on Compaq 1500. (p150?)

However, it seems like this worm is only affecting desktops running XP.

I'm very tire right now, keeping my eyelids open with toothpicks. Maybe I'll order sushi for dinner tonight. I'm munching on D'aim candies right now and taking a break.

 

[Sundog]

It is hitting workstations running Win2000 here. That is...those that are not up to date on updates.

 

[Shelly21]

Sumbitch! The Korgo worm infected my laptop yesterday and I have the $#%^ing patch!!! Now I have to make sure my home network is not infected when I get home much much later.

The worm is using random ports to infect others so unless you have no ports open on your firewall, you're not safe.

 

[GoingUp]

Originally posted by: Shelly21
Sumbitch! The Korgo worm infected my laptop yesterday and I have the $#%^ing patch!!! Now I have to make sure my home network is not infected when I get home much much later.

The worm is using random ports to infect others so unless you have no ports open on your firewall, you're not safe.

Howd it get to your laptop? How do you know it was infected?

 

[Hoober]

Originally posted by: Gobadgrs

Originally posted by: Shelly21
Sumbitch! The Korgo worm infected my laptop yesterday and I have the $#%^ing patch!!! Now I have to make sure my home network is not infected when I get home much much later.

The worm is using random ports to infect others so unless you have no ports open on your firewall, you're not safe.

Howd it get to your laptop? How do you know it was infected?

From SARC:

W32.Korgo.E is a minor variant of W32.Korgo.D. This worm propagates by exploiting the LSASS vulnerability on TCP port 445 (as described in Microsoft Security Bulletin MS04-011). It also opens backdoors on TCP ports 113 and 3067

So maybe you have a port open, Shelly? You shouldn't have gotten infected if you're patched and you have all your ports closed.

 

[Shelly21]

It's W32.Korgo.H

And I caught it with the latest def. (9th) of NAVCE 8.0.