Skip navigation.
Home

More on Korgo

Ok this is a massive post. For some reason my malware collector keeps picking up korgo worm binaries.

None of them will disassemble correctly as if they are packed/encoded. None of my file analyzers find anything. (peid, pescan, protection-id, etc) IDA shows that they are packed with a modified UPX2.

I have not figured out how to unpack it yet.

There are some A/V entries for this worm (its a LSASS worm)

http://www.f-secure.com/v-descs/korgo.shtml
http://securityresponse.symantec.com/avcenter/venc/data/w32.korgo.f.html

If anyone has ideas on how to unpack this or even a good generic unpacker to donate to the cause it would be greatly appreciated.

Ive attached some disassembly, ida databases, and other details.

V.