Skip navigation.

More on Korgo

Ok this is a massive post. For some reason my malware collector keeps picking up korgo worm binaries.

None of them will disassemble correctly as if they are packed/encoded. None of my file analyzers find anything. (peid, pescan, protection-id, etc) IDA shows that they are packed with a modified UPX2.

I have not figured out how to unpack it yet.

There are some A/V entries for this worm (its a LSASS worm)

If anyone has ideas on how to unpack this or even a good generic unpacker to donate to the cause it would be greatly appreciated.

Ive attached some disassembly, ida databases, and other details.